diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml
new file mode 100644
index 000000000..30ffde52f
--- /dev/null
+++ b/.github/workflows/cli.yml
@@ -0,0 +1,77 @@
+name: CLI
+
+on:
+  push:
+    branches: [develop]
+  pull_request:
+    branches: [develop]
+
+jobs:
+  build:
+    name: Build and test ${{ matrix.os }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [linux, darwin, windows]
+    env:
+      VAULT_VERSION: "1.1.3"
+      VAULT_TOKEN: "root"
+      VAULT_ADDR: "http://127.0.0.1:8200"
+    steps:
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install git -y
+      - name: Set up Go 1.13
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.13
+        id: go
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: Build
+        run: GOOS=${{ matrix.os }} go build -o sops-${{ matrix.os }}-${{ github.sha }} -v ./cmd/sops
+      - name: Import test GPG keys
+        run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done
+      - name: Test
+        run: make test
+      - name: Upload artifact
+        uses: actions/upload-artifact@v2
+        with:
+          name: sops-${{ matrix.os }}-${{ github.sha }}
+          path: sops-${{ matrix.os }}-${{ github.sha }}
+  test:
+    name: Functional tests
+    runs-on: ubuntu-latest
+    needs: [build]
+    env:
+      VAULT_VERSION: "1.1.3"
+      VAULT_TOKEN: "root"
+      VAULT_ADDR: "http://127.0.0.1:8200"
+    steps:
+      - name: Install rustup
+        run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain 1.47.0
+      - name: Check out code
+        uses: actions/checkout@v2
+      - uses: actions/download-artifact@v2
+        with:
+          name: sops-linux-${{ github.sha }}
+      - name: Move SOPS binary
+        run: mv sops-linux-${{ github.sha }} ./functional-tests/sops
+      - name: Make SOPS binary executable
+        run: chmod +x ./functional-tests/sops
+      - name: Download Vault
+        run: curl -O "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" && sudo unzip vault_${VAULT_VERSION}_linux_amd64.zip -d /usr/local/bin/
+      - name: Start Vault server
+        run: vault server -dev -dev-root-token-id="$VAULT_TOKEN" &
+      - name: Enable Vault KV
+        run: vault secrets enable -version=1 kv
+      - name: Import test GPG keys
+        run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done
+      - name: Run tests
+        run: cargo test
+        working-directory: ./functional-tests
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index dd5307efe..000000000
--- a/.travis.yml
+++ /dev/null
@@ -1,55 +0,0 @@
-language: go
-go: 1.13
-go_import_path: go.mozilla.org/sops/
-
-env:
-  - VAULT_VERSION=1.1.3 VAULT_TOKEN=root VAULT_ADDR='http://127.0.0.1:8200'
-
-addons:
-  apt:
-    packages:
-      - rpm
-      - ruby
-      - python3
-      - unzip
-
-before_install:
-  - gem install fpm || sudo gem install fpm
-  - curl https://sh.rustup.rs -sSf | sh -s -- -y
-  - source ~/.cargo/env
-  - curl -O "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" && sudo unzip vault_${VAULT_VERSION}_linux_amd64.zip -d /usr/local/bin/
-
-before_script:
-  - vault server -dev -dev-root-token-id="$VAULT_TOKEN" &
-  - sleep 5
-  - vault secrets enable -version=1 kv
-
-script:
-  - 'if [ "$TRAVIS_PULL_REQUEST" != "false" ]; then make; fi'
-  - 'if [ "$TRAVIS_PULL_REQUEST" = "false" ]; then make origin-build; fi'
-  - bash <(curl -s https://codecov.io/bash)
-
-before_deploy:
-  - mkdir dist
-  - make deb-pkg rpm-pkg
-  - mv *.deb *.rpm dist/
-  - GOOS=darwin CGO_ENABLED=0 GO111MODULE=on go build -mod vendor -o dist/sops-${TRAVIS_TAG}.darwin go.mozilla.org/sops/v3/cmd/sops
-  - GOOS=windows CGO_ENABLED=0 GO111MODULE=on go build -mod vendor -o dist/sops-${TRAVIS_TAG}.exe go.mozilla.org/sops/v3/cmd/sops
-  - GOOS=linux CGO_ENABLED=0 GO111MODULE=on go build -mod vendor -o dist/sops-${TRAVIS_TAG}.linux go.mozilla.org/sops/v3/cmd/sops
-  - |
-      if [ ! -z "$TRAVIS_TAG" ]; then
-        version="v$(grep '^const Version' version/version.go |cut -d '"' -f 2)"
-        if [ "$version" != "$TRAVIS_TAG" ]; then
-            echo "Git tag $TRAVIS_TAG does not match version $version, update the source!"
-            exit 1
-        fi
-      fi
-
-deploy:
-  provider: releases
-  api_key: "${GITHUB_OAUTH_TOKEN}"
-  file_glob: true
-  file: dist/*
-  skip_cleanup: true
-  on:
-    tags: true
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 48e777227..5a3049738 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -1,6 +1,23 @@
 Changelog
 =========
 
+3.7.0
+-----
+Features:
+
+    * Add support for age (#688)
+    * Add filename to exec-file (#761)
+
+Changes:
+
+    * On failed decryption with GPG, return the error returned by GPG to the sops user (#762)
+    * Use yaml.v3 instead of modified yaml.v2 for handling YAML files (#791)
+    * Update aws-sdk-go to version v1.37.18 (#823)
+
+Project Changes:
+
+    * Switch from TravisCI to Github Actions (#792)
+
 3.6.1
 -----
 Features:
diff --git a/README.rst b/README.rst
index 603356c21..b05fcf107 100644
--- a/README.rst
+++ b/README.rst
@@ -2,7 +2,7 @@ SOPS: Secrets OPerationS
 ========================
 
 **sops** is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY
-formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault and PGP.
+formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.
 (`demo <https://www.youtube.com/watch?v=YTEVyLXFiq0>`_)
 
 .. image:: https://i.imgur.com/X0TM5NI.gif
@@ -178,6 +178,33 @@ the example files and pgp key provided with the repository::
 This last step will decrypt ``example.yaml`` using the test private key.
 
 
+Encrypting using age
+~~~~~~~~~~~~~~~~~~~~
+
+`age <https://age-encryption.org/>`_ is a simple, modern, and secure tool for
+encrypting files. It's recommended to use age over PGP, if possible.
+
+You can encrypt a file for one or more age recipients (comma separated) using
+the ``--age`` option or the **SOPS_AGE_RECIPIENTS** environment variable:
+
+.. code:: bash
+
+   $ sops --age age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw test.yaml > test.enc.yaml
+
+When decrypting a file with the corresponding identity, sops will look for a
+text file name ``keys.txt`` located in a ``sops`` subdirectory of your user
+configuration directory. On Linux, this would be ``$XDG_CONFIG_HOME/sops/keys.txt``.
+On macOS, this would be ``$HOME/Library/Application Support/sops/keys.txt``. On
+Windows, this would be ``%AppData%\sops\keys.txt``. You can specify the location
+of this file manually by setting the environment variable **SOPS_AGE_KEY_FILE**.
+
+The contents of this key file should be a list of age X25519 identities, one
+per line. Lines beginning with ``#`` are considered comments and ignored. Each
+identity will be tried in sequence until one is able to decrypt the data.
+
+Encrypting with SSH keys via age is not yet supported by sops.
+
+
 Encrypting using GCP KMS
 ~~~~~~~~~~~~~~~~~~~~~~~~
 GCP KMS uses `Application Default Credentials
@@ -372,7 +399,7 @@ The sops team recommends the ``updatekeys`` approach.
 ``updatekeys`` command
 **********************
 
-The ``updatekeys`` command uses the `.sops.yaml <#29using-sopsyaml-conf-to-select-kmspgp-for-new-files>`_
+The ``updatekeys`` command uses the `.sops.yaml <#using-sops-yaml-conf-to-select-kms-pgp-for-new-files>`_
 configuration file to update (add or remove) the corresponding secrets in the
 encrypted file. Note that the example below uses the
 `Block Scalar yaml construct <https://yaml-multiline.info/>`_ to build a space
@@ -675,7 +702,7 @@ Specify a different GPG key server
 
 By default, ``sops`` uses the key server ``keys.openpgp.org`` to retrieve the GPG
 keys that are not present in the local keyring.
-This is no longer configurable. You can learn more about why from this write-up: [SKS Keyserver Network Under Attack](https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f).
+This is no longer configurable. You can learn more about why from this write-up: `SKS Keyserver Network Under Attack <https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f>`_.
 
 Example: place the following in your ``~/.bashrc``
 
@@ -986,6 +1013,9 @@ encrypted file is only readable by root, but the target program does not
 need root privileges to function. This flag should be used where possible
 for added security.
 
+To overwrite the default file name (``tmp-file``) in ``exec-file`` use the
+``--filename <filename>`` parameter.
+
 .. code:: bash
 
    # the encrypted file can't be read by the current user
@@ -1402,7 +1432,7 @@ By default, ``sops`` encrypts all the values of a YAML or JSON file and leaves t
 keys in cleartext. In some instances, you may want to exclude some values from
 being encrypted. This can be accomplished by adding the suffix **_unencrypted**
 to any key of a file. When set, all values underneath the key that set the
-**_unencrypted** prefix will be left in cleartext.
+**_unencrypted** suffix will be left in cleartext.
 
 Note that, while in cleartext, unencrypted content is still added to the
 checksum of the file, and thus cannot be modified outside of sops without
diff --git a/age/keys.txt b/age/keys.txt
new file mode 100644
index 000000000..c56eb4fab
--- /dev/null
+++ b/age/keys.txt
@@ -0,0 +1,3 @@
+# created: 2020-07-18T03:16:47-07:00
+# public key: age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw
+AGE-SECRET-KEY-1NJT5YCS2LWU4V4QAJQ6R4JNU7LXPDX602DZ9NUFANVU5GDTGUWCQ5T59M6
diff --git a/age/keysource.go b/age/keysource.go
new file mode 100644
index 000000000..c0b9c6561
--- /dev/null
+++ b/age/keysource.go
@@ -0,0 +1,203 @@
+package age
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"filippo.io/age"
+	"filippo.io/age/armor"
+	"github.com/sirupsen/logrus"
+	"go.mozilla.org/sops/v3/logging"
+)
+
+var log *logrus.Logger
+
+func init() {
+	log = logging.NewLogger("AGE")
+}
+
+const privateKeySizeLimit = 1 << 24 // 16 MiB
+
+// MasterKey is an age key used to encrypt and decrypt sops' data key.
+type MasterKey struct {
+	Identity     string // a Bech32-encoded private key
+	Recipient    string // a Bech32-encoded public key
+	EncryptedKey string // a sops data key encrypted with age
+
+	parsedIdentity  *age.X25519Identity  // a parsed age private key
+	parsedRecipient *age.X25519Recipient // a parsed age public key
+}
+
+// Encrypt takes a sops data key, encrypts it with age and stores the result in the EncryptedKey field.
+func (key *MasterKey) Encrypt(datakey []byte) error {
+	buffer := &bytes.Buffer{}
+
+	if key.parsedRecipient == nil {
+		parsedRecipient, err := parseRecipient(key.Recipient)
+
+		if err != nil {
+			log.WithField("recipient", key.parsedRecipient).Error("Encryption failed")
+			return err
+		}
+
+		key.parsedRecipient = parsedRecipient
+	}
+
+	aw := armor.NewWriter(buffer)
+	w, err := age.Encrypt(aw, key.parsedRecipient)
+	if err != nil {
+		return fmt.Errorf("failed to open file for encrypting sops data key with age: %w", err)
+	}
+
+	if _, err := w.Write(datakey); err != nil {
+		log.WithField("recipient", key.parsedRecipient).Error("Encryption failed")
+		return fmt.Errorf("failed to encrypt sops data key with age: %w", err)
+	}
+
+	if err := w.Close(); err != nil {
+		log.WithField("recipient", key.parsedRecipient).Error("Encryption failed")
+		return fmt.Errorf("failed to close file for encrypting sops data key with age: %w", err)
+	}
+
+	if err := aw.Close(); err != nil {
+		log.WithField("recipient", key.parsedRecipient).Error("Encryption failed")
+		return fmt.Errorf("failed to close armored writer: %w", err)
+	}
+
+	key.EncryptedKey = buffer.String()
+
+	log.WithField("recipient", key.parsedRecipient).Info("Encryption succeeded")
+
+	return nil
+}
+
+// EncryptIfNeeded encrypts the provided sops' data key and encrypts it if it hasn't been encrypted yet.
+func (key *MasterKey) EncryptIfNeeded(datakey []byte) error {
+	if key.EncryptedKey == "" {
+		return key.Encrypt(datakey)
+	}
+
+	return nil
+}
+
+// EncryptedDataKey returns the encrypted data key this master key holds.
+func (key *MasterKey) EncryptedDataKey() []byte {
+	return []byte(key.EncryptedKey)
+}
+
+// SetEncryptedDataKey sets the encrypted data key for this master key.
+func (key *MasterKey) SetEncryptedDataKey(enc []byte) {
+	key.EncryptedKey = string(enc)
+}
+
+// Decrypt decrypts the EncryptedKey field with the age identity and returns the result.
+func (key *MasterKey) Decrypt() ([]byte, error) {
+	ageKeyFilePath, ok := os.LookupEnv("SOPS_AGE_KEY_FILE")
+
+	if !ok {
+		userConfigDir, err := os.UserConfigDir()
+
+		if err != nil {
+			return nil, fmt.Errorf("user config directory could not be determined: %w", err)
+		}
+
+		ageKeyFilePath = filepath.Join(userConfigDir, "sops", "age", "keys.txt")
+	}
+
+	ageKeyFile, err := os.Open(ageKeyFilePath)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to open file: %w", err)
+	}
+
+	defer ageKeyFile.Close()
+
+	identities, err := age.ParseIdentities(ageKeyFile)
+
+	if err != nil {
+		return nil, err
+	}
+
+	src := bytes.NewReader([]byte(key.EncryptedKey))
+	ar := armor.NewReader(src)
+	r, err := age.Decrypt(ar, identities...)
+
+	if err != nil {
+		return nil, fmt.Errorf("no age identity found in %q that could decrypt the data", ageKeyFilePath)
+	}
+
+	var b bytes.Buffer
+	if _, err := io.Copy(&b, r); err != nil {
+		return nil, fmt.Errorf("failed to copy decrypted data into bytes.Buffer: %w", err)
+	}
+
+	return b.Bytes(), nil
+}
+
+// NeedsRotation returns whether the data key needs to be rotated or not.
+func (key *MasterKey) NeedsRotation() bool {
+	return false
+}
+
+// ToString converts the key to a string representation.
+func (key *MasterKey) ToString() string {
+	return key.Recipient
+}
+
+// ToMap converts the MasterKey to a map for serialization purposes.
+func (key *MasterKey) ToMap() map[string]interface{} {
+	return map[string]interface{}{"recipient": key.Recipient, "enc": key.EncryptedKey}
+}
+
+// MasterKeysFromRecipients takes a comma-separated list of Bech32-encoded public keys and returns a
+// slice of new MasterKeys.
+func MasterKeysFromRecipients(commaSeparatedRecipients string) ([]*MasterKey, error) {
+	if commaSeparatedRecipients == "" {
+		// otherwise Split returns [""] and MasterKeyFromRecipient is unhappy
+		return make([]*MasterKey, 0), nil
+	}
+	recipients := strings.Split(commaSeparatedRecipients, ",")
+
+	var keys []*MasterKey
+
+	for _, recipient := range recipients {
+		key, err := MasterKeyFromRecipient(recipient)
+
+		if err != nil {
+			return nil, err
+		}
+
+		keys = append(keys, key)
+	}
+
+	return keys, nil
+}
+
+// MasterKeyFromRecipient takes a Bech32-encoded public key and returns a new MasterKey.
+func MasterKeyFromRecipient(recipient string) (*MasterKey, error) {
+	parsedRecipient, err := parseRecipient(recipient)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return &MasterKey{
+		Recipient:       recipient,
+		parsedRecipient: parsedRecipient,
+	}, nil
+}
+
+// parseRecipient attempts to parse a string containing an encoded age public key
+func parseRecipient(recipient string) (*age.X25519Recipient, error) {
+	parsedRecipient, err := age.ParseX25519Recipient(recipient)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse input as Bech32-encoded age public key: %w", err)
+	}
+
+	return parsedRecipient, nil
+}
diff --git a/age/keysource_test.go b/age/keysource_test.go
new file mode 100644
index 000000000..2a3bebdfd
--- /dev/null
+++ b/age/keysource_test.go
@@ -0,0 +1,69 @@
+package age
+
+import (
+	"os"
+	"path"
+	"runtime"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestMasterKeysFromRecipientsEmpty(t *testing.T) {
+	assert := assert.New(t)
+
+	commaSeparatedRecipients := ""
+	recipients, err := MasterKeysFromRecipients(commaSeparatedRecipients)
+
+	assert.NoError(err)
+
+	assert.Equal(recipients, make([]*MasterKey, 0))
+}
+
+func TestAge(t *testing.T) {
+	assert := assert.New(t)
+
+	key, err := MasterKeyFromRecipient("age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw")
+
+	assert.NoError(err)
+	assert.Equal("age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw", key.ToString())
+
+	dataKey := []byte("abcdefghijklmnopqrstuvwxyz123456")
+
+	err = key.Encrypt(dataKey)
+	assert.NoError(err)
+
+	_, filename, _, _ := runtime.Caller(0)
+	err = os.Setenv("SOPS_AGE_KEY_FILE", path.Join(path.Dir(filename), "keys.txt"))
+	assert.NoError(err)
+
+	decryptedKey, err := key.Decrypt()
+	assert.NoError(err)
+	assert.Equal(dataKey, decryptedKey)
+}
+
+func TestAgeDotEnv(t *testing.T) {
+	assert := assert.New(t)
+
+	key, err := MasterKeyFromRecipient("age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw")
+
+	assert.NoError(err)
+	assert.Equal("age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw", key.ToString())
+
+	dotenv := `IMAGE_PREFIX=repo/service-
+APPLICATION_KEY=K6pfAWuUVND9Fz5SC7jmA6pfAWuUVND9Fz5SC7jmA
+KEY_ID=003683d721f2ae683d721f2a1
+DOMAIN=files.127.0.0.1.nip.io`
+	dataKey := []byte(dotenv)
+
+	err = key.Encrypt(dataKey)
+	assert.NoError(err)
+
+	_, filename, _, _ := runtime.Caller(0)
+	err = os.Setenv("SOPS_AGE_KEY_FILE", path.Join(path.Dir(filename), "keys.txt"))
+	assert.NoError(err)
+
+	decryptedKey, err := key.Decrypt()
+	assert.NoError(err)
+	assert.Equal(dataKey, decryptedKey)
+}
diff --git a/audit/audit.go b/audit/audit.go
index 1a29f5ea2..b52215077 100644
--- a/audit/audit.go
+++ b/audit/audit.go
@@ -12,7 +12,7 @@ import (
 	// empty import as per https://godoc.org/github.com/lib/pq
 	_ "github.com/lib/pq"
 
-	"github.com/mozilla-services/yaml"
+	"gopkg.in/yaml.v3"
 	"github.com/sirupsen/logrus"
 	"go.mozilla.org/sops/v3/logging"
 )
diff --git a/azkv/keysource.go b/azkv/keysource.go
index 85a549b7f..127ccccf8 100644
--- a/azkv/keysource.go
+++ b/azkv/keysource.go
@@ -210,7 +210,7 @@ func (key *MasterKey) Encrypt(dataKey []byte) error {
 			"key":     key.Name,
 			"version": key.Version,
 		}).Error("Encryption failed")
-		return fmt.Errorf("Failed to encrypt data: %v", err)
+		return fmt.Errorf("Failed to encrypt data: %w", err)
 	}
 
 	key.EncryptedKey = *res.Result
@@ -244,7 +244,7 @@ func (key *MasterKey) Decrypt() ([]byte, error) {
 			"key":     key.Name,
 			"version": key.Version,
 		}).Error("Decryption failed")
-		return nil, fmt.Errorf("Error decrypting key: %v", err)
+		return nil, fmt.Errorf("Error decrypting key: %w", err)
 	}
 
 	plaintext, err := base64.RawURLEncoding.DecodeString(*res.Result)
diff --git a/cmd/sops/main.go b/cmd/sops/main.go
index e99733d8e..148daa729 100644
--- a/cmd/sops/main.go
+++ b/cmd/sops/main.go
@@ -16,6 +16,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"go.mozilla.org/sops/v3"
 	"go.mozilla.org/sops/v3/aes"
+	"go.mozilla.org/sops/v3/age"
 	_ "go.mozilla.org/sops/v3/audit"
 	"go.mozilla.org/sops/v3/azkv"
 	"go.mozilla.org/sops/v3/cmd/sops/codes"
@@ -61,7 +62,7 @@ func main() {
 		},
 	}
 	app.Name = "sops"
-	app.Usage = "sops - encrypted file editor with AWS KMS, GCP KMS, Azure Key Vault and GPG support"
+	app.Usage = "sops - encrypted file editor with AWS KMS, GCP KMS, Azure Key Vault, age, and GPG support"
 	app.ArgsUsage = "sops [options] file"
 	app.Version = version.Version
 	app.Authors = []cli.Author{
@@ -96,6 +97,9 @@ func main() {
     https://docs.microsoft.com/en-us/go/azure/azure-sdk-go-authorization#use-environment-based-authentication.
     The user/sp needs the key/encrypt and key/decrypt permissions)
 
+   To encrypt or decrypt using age, specify the recipient in the -a flag, or
+   in the SOPS_AGE_RECIPIENTS environment variable.
+
    To encrypt or decrypt using PGP, specify the PGP fingerprint in the
    -p flag or in the SOPS_PGP_FP environment variable.
 
@@ -191,6 +195,10 @@ func main() {
 					Name:  "output-type",
 					Usage: "currently json, yaml, dotenv and binary are supported. If not set, sops will use the input file's extension to determine the output format",
 				},
+				cli.StringFlag{
+					Name:  "filename",
+					Usage: "filename for the temporarily file (default: tmp-file)",
+				},
 			}, keyserviceFlags...),
 			Action: func(c *cli.Context) error {
 				if len(c.Args()) != 2 {
@@ -218,12 +226,18 @@ func main() {
 					return toExitError(err)
 				}
 
+				filename := c.String("filename")
+				if filename == "" {
+					filename = "tmp-file"
+				}
+
 				if err := exec.ExecWithFile(exec.ExecOpts{
 					Command:    command,
 					Plaintext:  output,
 					Background: c.Bool("background"),
 					Fifo:       !c.Bool("no-fifo"),
 					User:       c.String("user"),
+					Filename:   filename,
 				}); err != nil {
 					return toExitError(err)
 				}
@@ -377,6 +391,10 @@ func main() {
 							Name:  "hc-vault-transit",
 							Usage: "the full vault path to the key used to encrypt/decrypt. Make you choose and configure a key with encrption/decryption enabled (e.g. 'https://vault.example.org:8200/v1/transit/keys/dev'). Can be specified more than once",
 						},
+						cli.StringSliceFlag{
+							Name:  "age",
+							Usage: "the age recipient the new group should contain. Can be specified more than once",
+						},
 						cli.BoolFlag{
 							Name:  "in-place, i",
 							Usage: "write output back to the same file instead of stdout",
@@ -396,6 +414,7 @@ func main() {
 						gcpKmses := c.StringSlice("gcp-kms")
 						vaultURIs := c.StringSlice("hc-vault-transit")
 						azkvs := c.StringSlice("azure-kv")
+						ageRecipients := c.StringSlice("age")
 						var group sops.KeyGroup
 						for _, fp := range pgpFps {
 							group = append(group, pgp.NewMasterKeyFromFingerprint(fp))
@@ -422,6 +441,14 @@ func main() {
 							}
 							group = append(group, k)
 						}
+						for _, recipient := range ageRecipients {
+							k, err := age.MasterKeyFromRecipient(recipient)
+							if err != nil {
+								log.WithError(err).Error("Failed to add key")
+								continue
+							}
+							group = append(group, k)
+						}
 						return groups.Add(groups.AddOpts{
 							InputPath:      c.String("file"),
 							InPlace:        c.Bool("in-place"),
@@ -552,6 +579,11 @@ func main() {
 			Usage:  "comma separated list of PGP fingerprints",
 			EnvVar: "SOPS_PGP_FP",
 		},
+		cli.StringFlag{
+			Name:   "age, a",
+			Usage:  "comma separated list of age recipients",
+			EnvVar: "SOPS_AGE_RECIPIENTS",
+		},
 		cli.BoolFlag{
 			Name:  "in-place, i",
 			Usage: "write output back to the same file instead of stdout",
@@ -604,6 +636,14 @@ func main() {
 			Name:  "rm-hc-vault-transit",
 			Usage: "remove the provided comma-separated list of Vault's URI key from the list of master keys on the given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev)",
 		},
+		cli.StringFlag{
+			Name:  "add-age",
+			Usage: "add the provided comma-separated list of age recipients fingerprints to the list of master keys on the given file",
+		},
+		cli.StringFlag{
+			Name:  "rm-age",
+			Usage: "remove the provided comma-separated list of age recipients from the list of master keys on the given file",
+		},
 		cli.StringFlag{
 			Name:  "add-pgp",
 			Usage: "add the provided comma-separated list of PGP fingerprints to the list of master keys on the given file",
@@ -673,8 +713,8 @@ func main() {
 			return toExitError(err)
 		}
 		if _, err := os.Stat(fileName); os.IsNotExist(err) {
-			if c.String("add-kms") != "" || c.String("add-pgp") != "" || c.String("add-gcp-kms") != "" || c.String("add-hc-vault-transit") != "" || c.String("add-azure-kv") != "" ||
-				c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-hc-vault-transit") != "" || c.String("rm-azure-kv") != "" {
+			if c.String("add-kms") != "" || c.String("add-pgp") != "" || c.String("add-gcp-kms") != "" || c.String("add-hc-vault-transit") != "" || c.String("add-azure-kv") != "" || c.String("add-age") != "" ||
+				c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-hc-vault-transit") != "" || c.String("rm-azure-kv") != "" || c.String("rm-age") != "" {
 				return common.NewExitError("Error: cannot add or remove keys on non-existent files, use `--kms` and `--pgp` instead.", codes.CannotChangeKeysFromNonExistentFile)
 			}
 			if c.Bool("encrypt") || c.Bool("decrypt") || c.Bool("rotate") {
@@ -802,6 +842,13 @@ func main() {
 			for _, k := range hcVaultKeys {
 				addMasterKeys = append(addMasterKeys, k)
 			}
+			ageKeys, err := age.MasterKeysFromRecipients(c.String("add-age"))
+			if err != nil {
+				return err
+			}
+			for _, k := range ageKeys {
+				addMasterKeys = append(addMasterKeys, k)
+			}
 
 			var rmMasterKeys []keys.MasterKey
 			for _, k := range kms.MasterKeysFromArnString(c.String("rm-kms"), kmsEncryptionContext, c.String("aws-profile")) {
@@ -827,6 +874,13 @@ func main() {
 			for _, k := range hcVaultKeys {
 				rmMasterKeys = append(rmMasterKeys, k)
 			}
+			ageKeys, err = age.MasterKeysFromRecipients(c.String("rm-age"))
+			if err != nil {
+				return err
+			}
+			for _, k := range ageKeys {
+				rmMasterKeys = append(rmMasterKeys, k)
+			}
 
 			output, err = rotate(rotateOpts{
 				OutputStore:      outputStore,
@@ -1023,6 +1077,7 @@ func keyGroups(c *cli.Context, file string) ([]sops.KeyGroup, error) {
 	var cloudKmsKeys []keys.MasterKey
 	var azkvKeys []keys.MasterKey
 	var hcVaultMkKeys []keys.MasterKey
+	var ageMasterKeys []keys.MasterKey
 	kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context"))
 	if c.String("encryption-context") != "" && kmsEncryptionContext == nil {
 		return nil, common.NewExitError("Invalid KMS encryption context format", codes.ErrorInvalidKMSEncryptionContextFormat)
@@ -1060,7 +1115,16 @@ func keyGroups(c *cli.Context, file string) ([]sops.KeyGroup, error) {
 			pgpKeys = append(pgpKeys, k)
 		}
 	}
-	if c.String("kms") == "" && c.String("pgp") == "" && c.String("gcp-kms") == "" && c.String("azure-kv") == "" && c.String("hc-vault-transit") == "" {
+	if c.String("age") != "" {
+		ageKeys, err := age.MasterKeysFromRecipients(c.String("age"))
+		if err != nil {
+			return nil, err
+		}
+		for _, k := range ageKeys {
+			ageMasterKeys = append(ageMasterKeys, k)
+		}
+	}
+	if c.String("kms") == "" && c.String("pgp") == "" && c.String("gcp-kms") == "" && c.String("azure-kv") == "" && c.String("hc-vault-transit") == "" && c.String("age") == "" {
 		conf, err := loadConfig(c, file, kmsEncryptionContext)
 		// config file might just not be supplied, without any error
 		if conf == nil {
@@ -1078,6 +1142,7 @@ func keyGroups(c *cli.Context, file string) ([]sops.KeyGroup, error) {
 	group = append(group, azkvKeys...)
 	group = append(group, pgpKeys...)
 	group = append(group, hcVaultMkKeys...)
+	group = append(group, ageMasterKeys...)
 	log.Debugf("Master keys available:  %+v", group)
 	return []sops.KeyGroup{group}, nil
 }
diff --git a/cmd/sops/subcommand/exec/exec.go b/cmd/sops/subcommand/exec/exec.go
index 95f135d79..cd8d33be5 100644
--- a/cmd/sops/subcommand/exec/exec.go
+++ b/cmd/sops/subcommand/exec/exec.go
@@ -24,10 +24,11 @@ type ExecOpts struct {
 	Background bool
 	Fifo       bool
 	User       string
+	Filename   string
 }
 
-func GetFile(dir string) *os.File {
-	handle, err := ioutil.TempFile(dir, "tmp-file")
+func GetFile(dir, filename string) *os.File {
+	handle, err := ioutil.TempFile(dir, filename)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -54,10 +55,10 @@ func ExecWithFile(opts ExecOpts) error {
 	if opts.Fifo {
 		// fifo handling needs to be async, even opening to write
 		// will block if there is no reader present
-		filename = GetPipe(dir)
+		filename = GetPipe(dir, opts.Filename)
 		go WritePipe(filename, opts.Plaintext)
 	} else {
-		handle := GetFile(dir)
+		handle := GetFile(dir, opts.Filename)
 		handle.Write(opts.Plaintext)
 		handle.Close()
 		filename = handle.Name()
diff --git a/cmd/sops/subcommand/exec/exec_unix.go b/cmd/sops/subcommand/exec/exec_unix.go
index f2041b7fb..cc831e798 100644
--- a/cmd/sops/subcommand/exec/exec_unix.go
+++ b/cmd/sops/subcommand/exec/exec_unix.go
@@ -27,8 +27,8 @@ func WritePipe(pipe string, contents []byte) {
 	handle.Close()
 }
 
-func GetPipe(dir string) string {
-	tmpfn := filepath.Join(dir, "tmp-file")
+func GetPipe(dir, filename string) string {
+	tmpfn := filepath.Join(dir, filename)
 	err := syscall.Mkfifo(tmpfn, 0600)
 	if err != nil {
 		log.Fatal(err)
diff --git a/cmd/sops/subcommand/exec/exec_windows.go b/cmd/sops/subcommand/exec/exec_windows.go
index 0c3345384..7e0f21d74 100644
--- a/cmd/sops/subcommand/exec/exec_windows.go
+++ b/cmd/sops/subcommand/exec/exec_windows.go
@@ -12,7 +12,7 @@ func WritePipe(pipe string, contents []byte) {
 	log.Fatal("fifos are not available on windows")
 }
 
-func GetPipe(dir string) string {
+func GetPipe(dir, filename string) string {
 	log.Fatal("fifos are not available on windows")
 	return ""
 }
diff --git a/config/config.go b/config/config.go
index 67a06cdda..e89336ddc 100644
--- a/config/config.go
+++ b/config/config.go
@@ -10,9 +10,9 @@ import (
 	"path"
 	"regexp"
 
-	"github.com/mozilla-services/yaml"
 	"github.com/sirupsen/logrus"
 	"go.mozilla.org/sops/v3"
+	"go.mozilla.org/sops/v3/age"
 	"go.mozilla.org/sops/v3/azkv"
 	"go.mozilla.org/sops/v3/gcpkms"
 	"go.mozilla.org/sops/v3/hcvault"
@@ -20,6 +20,7 @@ import (
 	"go.mozilla.org/sops/v3/logging"
 	"go.mozilla.org/sops/v3/pgp"
 	"go.mozilla.org/sops/v3/publish"
+	"gopkg.in/yaml.v3"
 )
 
 var log *logrus.Logger
@@ -71,6 +72,7 @@ type keyGroup struct {
 	GCPKMS  []gcpKmsKey  `yaml:"gcp_kms"`
 	AzureKV []azureKVKey `yaml:"azure_keyvault"`
 	Vault   []string     `yaml:"hc_vault"`
+	Age     []string     `yaml:"age"`
 	PGP     []string
 }
 
@@ -109,6 +111,7 @@ type creationRule struct {
 	PathRegex         string `yaml:"path_regex"`
 	KMS               string
 	AwsProfile        string `yaml:"aws_profile"`
+	Age               string `yaml:"age"`
 	PGP               string
 	GCPKMS            string     `yaml:"gcp_kms"`
 	AzureKeyVault     string     `yaml:"azure_keyvault"`
@@ -147,6 +150,13 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[
 	if len(cRule.KeyGroups) > 0 {
 		for _, group := range cRule.KeyGroups {
 			var keyGroup sops.KeyGroup
+			for _, k := range group.Age {
+				key, err := age.MasterKeyFromRecipient(k)
+				if err != nil {
+					return nil, err
+				}
+				keyGroup = append(keyGroup, key)
+			}
 			for _, k := range group.PGP {
 				keyGroup = append(keyGroup, pgp.NewMasterKeyFromFingerprint(k))
 			}
@@ -170,6 +180,16 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[
 		}
 	} else {
 		var keyGroup sops.KeyGroup
+		if cRule.Age != "" {
+			ageKeys, err := age.MasterKeysFromRecipients(cRule.Age)
+			if err != nil {
+				return nil, err
+			} else {
+				for _, ak := range ageKeys {
+					keyGroup = append(keyGroup, ak)
+				}
+			}
+		}
 		for _, k := range pgp.MasterKeysFromFingerprintString(cRule.PGP) {
 			keyGroup = append(keyGroup, k)
 		}
@@ -306,11 +326,13 @@ func parseCreationRuleForFile(conf *configFile, filePath string, kmsEncryptionCo
 			rule = &r
 			break
 		}
-		if r.PathRegex != "" {
-			if match, _ := regexp.MatchString(r.PathRegex, filePath); match {
-				rule = &r
-				break
-			}
+		reg, err := regexp.Compile(r.PathRegex)
+		if err != nil {
+			return nil, fmt.Errorf("can not compile regexp: %w", err)
+		}
+		if reg.MatchString(filePath) {
+			rule = &r
+			break
 		}
 	}
 
diff --git a/config/config_test.go b/config/config_test.go
index 183eb7836..ac8aca6f3 100644
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -208,6 +208,24 @@ destination_rules:
     path_regex: "vault-v1/*"
 `)
 
+var sampleConfigWithInvalidComplicatedRegexp = []byte(`
+creation_rules:
+  - path_regex: "[ ]\\K(?<!\\d )(?="
+    kms: default
+`)
+
+var sampleConfigWithComplicatedRegexp = []byte(`
+creation_rules:
+  - path_regex: "stage/dev/feature-.*"
+    kms: dev-feature 
+  - path_regex: "stage/dev/.*"
+    kms: dev
+  - path_regex: "stage/staging/.*"
+    kms: staging
+  - path_regex: "stage/.*/.*"
+    kms: default
+`)
+
 func parseConfigFile(confBytes []byte, t *testing.T) *configFile {
 	conf := &configFile{}
 	err := conf.load(confBytes)
@@ -285,6 +303,24 @@ func TestLoadConfigFileWithNoMatchingRules(t *testing.T) {
 	assert.NotNil(t, err)
 }
 
+func TestLoadConfigFileWithInvalidComplicatedRegexp(t *testing.T) {
+	conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithInvalidComplicatedRegexp, t), "stage/prod/api.yml", nil)
+	assert.Equal(t, "can not compile regexp: error parsing regexp: invalid escape sequence: `\\K`", err.Error())
+	assert.Nil(t, conf)
+}
+
+func TestLoadConfigFileWithComplicatedRegexp(t *testing.T) {
+	for filePath, k := range map[string]string{
+		"stage/prod/api.yml":        "default",
+		"stage/dev/feature-foo.yml": "dev-feature",
+		"stage/dev/api.yml":         "dev",
+	} {
+		conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithComplicatedRegexp, t), filePath, nil)
+		assert.Nil(t, err)
+		assert.Equal(t, k, conf.KeyGroups[0][0].ToString())
+	}
+}
+
 func TestLoadEmptyConfigFile(t *testing.T) {
 	conf, err := parseCreationRuleForFile(parseConfigFile(sampleEmptyConfig, t), "foobar2000", nil)
 	assert.Nil(t, conf)
diff --git a/decrypt/decrypt.go b/decrypt/decrypt.go
index 5714fc17f..6fd4a4fbe 100644
--- a/decrypt/decrypt.go
+++ b/decrypt/decrypt.go
@@ -20,7 +20,7 @@ func File(path, format string) (cleartext []byte, err error) {
 	// Read the file into an []byte
 	encryptedData, err := ioutil.ReadFile(path)
 	if err != nil {
-		return nil, fmt.Errorf("Failed to read %q: %v", path, err)
+		return nil, fmt.Errorf("Failed to read %q: %w", path, err)
 	}
 
 	// uses same logic as cli.
diff --git a/functional-tests/res/comments.enc.yaml b/functional-tests/res/comments.enc.yaml
index f28ea5d23..7b386184e 100644
--- a/functional-tests/res/comments.enc.yaml
+++ b/functional-tests/res/comments.enc.yaml
@@ -1,3 +1,4 @@
+#ENC[AES256_GCM,data:IYA+b4ORDq8u9CBQolipWD4HRqoZyA==,iv:F8ldQqGng+WptHuBkFtjrGM+7sRZCsvd0FHq98lrpAE=,tag:ZHbLU9+CELinf5PhhuIzSQ==,type:comment]
 lorem: ENC[AES256_GCM,data:PhmSdTs=,iv:J5ugEWq6RfyNx+5zDXvcTdoQ18YYZkqesDED7LNzou4=,tag:0Qrom6J6aUnZMZzGz5XCxw==,type:str]
 #ENC[AES256_GCM,data:HiHCasVRzWUiFxKb3X/AcEeM,iv:bmNg+T91dqGk/CEtVH+FDC53osDCEPmWmJKpLyAU5OM=,tag:bTLDYxQSAfYDCBYccoUokQ==,type:comment]
 dolor: ENC[AES256_GCM,data:IgvT,iv:wtPNYbDTARFE810PH6ldOLzCDcAjkB/dzPsZjpgHcko=,tag:zwE8P+AwO1hrHkgF6pTbZw==,type:str]
@@ -5,8 +6,10 @@ sops:
     kms: []
     gcp_kms: []
     azure_kv: []
-    lastmodified: '2017-08-16T03:41:16Z'
-    mac: ENC[AES256_GCM,data:3ngUnY2hkK6pkDbCeAnOHsi/M6bLnGk1vkd+EeGyN/efqJZmwH0+9hUdACNnwHzofIR6NbtCGZal+cSCuTGD4eDuqNV+LbwV1/EaaVZj9RktTNXq3STSXxfzYGoHV3NOMtBhq6sYhF0U72nunreCymm3QzOTylAa2HlmRs54axM=,iv:EMXphsMa+ELK8XXX3MDfFJe3jFgXzwCSwjxNR5ah14k=,tag:gakwLdPvwyihj+FkTG/2kQ==,type:str]
+    hc_vault: []
+    age: []
+    lastmodified: '2020-10-07T15:49:13Z'
+    mac: ENC[AES256_GCM,data:2dhyKdHYSynjXPwYrn9356wA7vRKw+T5qwBenI2vZrgthpQBOCQG4M6f7eeH3VLTxB4mN4CAchb25dsNRoGr6A38VruaSSAhPco3Rh4AlvKSvXuhgRnzZvNxE/bnHX1D4K5cdTb4FsJg/Ue1l7UcWrlrv1s3H3SwLHP/nf+suD0=,iv:6xBYURjjaQzlUOKOrs2NWOChiNFZVAGPJZQZ59MwX3o=,tag:uXD5VYme+c8eHcCc5TD2YA==,type:str]
     pgp:
     -   created_at: '2019-08-29T21:52:32Z'
         enc: |
@@ -24,4 +27,4 @@ sops:
             -----END PGP MESSAGE-----
         fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
     unencrypted_suffix: _unencrypted
-    version: 2.0.9
+    version: 3.6.1
diff --git a/functional-tests/res/comments.yaml b/functional-tests/res/comments.yaml
index b8761445e..c0a880c91 100644
--- a/functional-tests/res/comments.yaml
+++ b/functional-tests/res/comments.yaml
@@ -1,3 +1,4 @@
+# first comment in file
 lorem: ipsum
 # this-is-a-comment
 dolor: sit
\ No newline at end of file
diff --git a/functional-tests/res/comments_unencrypted_comments.yaml b/functional-tests/res/comments_unencrypted_comments.yaml
index 86fa3aecc..dbaaa5203 100644
--- a/functional-tests/res/comments_unencrypted_comments.yaml
+++ b/functional-tests/res/comments_unencrypted_comments.yaml
@@ -1,3 +1,4 @@
+# first comment in file
 lorem: ENC[AES256_GCM,data:qVz4paM=,iv:0oGsaw71i3wZKmlyDl8uDhQT9XLvJt3oIyx514X44K8=,tag:acbMS613StWo1IVnKK+5uQ==,type:str]
 # this-is-a-comment
 dolor: ENC[AES256_GCM,data:21fI,iv:01LXdHZYwLTeyUB1YWIAM6KF8cPPVsw/RuQO+Ab4pgM=,tag:o1xnCIIoccWzdWxB2kZYKg==,type:str]
diff --git a/functional-tests/src/lib.rs b/functional-tests/src/lib.rs
index 074af4260..756e832f5 100644
--- a/functional-tests/src/lib.rs
+++ b/functional-tests/src/lib.rs
@@ -421,6 +421,7 @@ b: ba"#
             .output()
             .expect("Error running sops");
         assert!(output.status.success(), "SOPS didn't return successfully");
+        assert!(!String::from_utf8_lossy(&output.stdout).contains("first comment in file"), "Comment was not encrypted");
         assert!(!String::from_utf8_lossy(&output.stdout).contains("this-is-a-comment"), "Comment was not encrypted");
     }
 
@@ -446,6 +447,7 @@ b: ba"#
                     .output()
                     .expect("Error running sops");
         assert!(output.status.success(), "SOPS didn't return successfully");
+        assert!(String::from_utf8_lossy(&output.stdout).contains("first comment in file"), "Comment was not decrypted");
         assert!(String::from_utf8_lossy(&output.stdout).contains("this-is-a-comment"), "Comment was not decrypted");
     }
 
@@ -458,6 +460,7 @@ b: ba"#
                     .output()
                     .expect("Error running sops");
         assert!(output.status.success(), "SOPS didn't return successfully");
+        assert!(String::from_utf8_lossy(&output.stdout).contains("first comment in file"), "Comment was not decrypted");
         assert!(String::from_utf8_lossy(&output.stdout).contains("this-is-a-comment"), "Comment was not decrypted");
     }
 
diff --git a/gcpkms/keysource.go b/gcpkms/keysource.go
index 8fd89af37..eee55433d 100644
--- a/gcpkms/keysource.go
+++ b/gcpkms/keysource.go
@@ -44,7 +44,7 @@ func (key *MasterKey) Encrypt(dataKey []byte) error {
 	cloudkmsService, err := key.createCloudKMSService()
 	if err != nil {
 		log.WithField("resourceID", key.ResourceID).Info("Encryption failed")
-		return fmt.Errorf("Cannot create GCP KMS service: %v", err)
+		return fmt.Errorf("Cannot create GCP KMS service: %w", err)
 	}
 	req := &cloudkms.EncryptRequest{
 		Plaintext: base64.StdEncoding.EncodeToString(dataKey),
@@ -52,7 +52,7 @@ func (key *MasterKey) Encrypt(dataKey []byte) error {
 	resp, err := cloudkmsService.Projects.Locations.KeyRings.CryptoKeys.Encrypt(key.ResourceID, req).Do()
 	if err != nil {
 		log.WithField("resourceID", key.ResourceID).Info("Encryption failed")
-		return fmt.Errorf("Failed to call GCP KMS encryption service: %v", err)
+		return fmt.Errorf("Failed to call GCP KMS encryption service: %w", err)
 	}
 	log.WithField("resourceID", key.ResourceID).Info("Encryption succeeded")
 	key.EncryptedKey = resp.Ciphertext
@@ -72,7 +72,7 @@ func (key *MasterKey) Decrypt() ([]byte, error) {
 	cloudkmsService, err := key.createCloudKMSService()
 	if err != nil {
 		log.WithField("resourceID", key.ResourceID).Info("Decryption failed")
-		return nil, fmt.Errorf("Cannot create GCP KMS service: %v", err)
+		return nil, fmt.Errorf("Cannot create GCP KMS service: %w", err)
 	}
 
 	req := &cloudkms.DecryptRequest{
@@ -81,7 +81,7 @@ func (key *MasterKey) Decrypt() ([]byte, error) {
 	resp, err := cloudkmsService.Projects.Locations.KeyRings.CryptoKeys.Decrypt(key.ResourceID, req).Do()
 	if err != nil {
 		log.WithField("resourceID", key.ResourceID).Info("Decryption failed")
-		return nil, fmt.Errorf("Error decrypting key: %v", err)
+		return nil, fmt.Errorf("Error decrypting key: %w", err)
 	}
 	encryptedKey, err := base64.StdEncoding.DecodeString(resp.Plaintext)
 	if err != nil {
diff --git a/go.mod b/go.mod
index 323fdc46a..3799fb843 100644
--- a/go.mod
+++ b/go.mod
@@ -4,6 +4,7 @@ go 1.13
 
 require (
 	cloud.google.com/go v0.43.0
+	filippo.io/age v1.0.0-beta7
 	github.com/Azure/azure-sdk-for-go v31.2.0+incompatible
 	github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
 	github.com/Azure/go-autorest/autorest v0.9.0
@@ -12,15 +13,15 @@ require (
 	github.com/Azure/go-autorest/autorest/validation v0.2.0 // indirect
 	github.com/Microsoft/go-winio v0.4.14 // indirect
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
-	github.com/aws/aws-sdk-go v1.33.18
+	github.com/aws/aws-sdk-go v1.37.18
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/cenkalti/backoff v2.2.1+incompatible // indirect
 	github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
 	github.com/fatih/color v1.7.0
-	github.com/golang/protobuf v1.3.2
-	github.com/google/go-cmp v0.3.0
+	github.com/golang/protobuf v1.4.1
+	github.com/google/go-cmp v0.5.0
 	github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf
 	github.com/gotestyourself/gotestyourself v2.2.0+incompatible // indirect
 	github.com/goware/prefixer v0.0.0-20160118172347-395022866408
@@ -29,7 +30,6 @@ require (
 	github.com/lib/pq v1.2.0
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/go-wordwrap v1.0.0
-	github.com/mozilla-services/yaml v0.0.0-20191106225358-5c216288813c
 	github.com/opencontainers/go-digest v1.0.0-rc1 // indirect
 	github.com/opencontainers/image-spec v1.0.1 // indirect
 	github.com/opencontainers/runc v0.1.1 // indirect
@@ -38,14 +38,16 @@ require (
 	github.com/sirupsen/logrus v1.4.2
 	github.com/smartystreets/goconvey v0.0.0-20190710185942-9d28bd7c0945 // indirect
 	github.com/stretchr/testify v1.5.1
-	github.com/vektra/mockery v1.1.2 // indirect
 	go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a
-	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550
-	golang.org/x/net v0.0.0-20200226121028-0de0cce0169b
+	golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83
+	golang.org/x/net v0.0.0-20201110031124-69a78807bb2b
 	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
+	golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43 // indirect
 	google.golang.org/api v0.7.0
-	google.golang.org/grpc v1.22.1
+	google.golang.org/grpc v1.27.0
+	google.golang.org/protobuf v1.25.0
 	gopkg.in/ini.v1 v1.44.0
 	gopkg.in/urfave/cli.v1 v1.20.0
+	gopkg.in/yaml.v3 v3.0.0-20210107172259-749611fa9fcc
 	gotest.tools v2.2.0+incompatible // indirect
 )
diff --git a/go.sum b/go.sum
index aa870f0a9..976e3519a 100644
--- a/go.sum
+++ b/go.sum
@@ -3,8 +3,10 @@ cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
 cloud.google.com/go v0.43.0 h1:banaiRPAM8kUVYneOSkhgcDsLzEvL25FinuiSZaH/2w=
 cloud.google.com/go v0.43.0/go.mod h1:BOSR3VbTLkk6FDC/TcffxP4NF/FFBGA5ku+jvKOP7pg=
-contrib.go.opencensus.io/exporter/ocagent v0.4.12 h1:jGFvw3l57ViIVEPKKEUXPcLYIXJmQxLUh6ey1eJhwyc=
 contrib.go.opencensus.io/exporter/ocagent v0.4.12/go.mod h1:450APlNTSR6FrvC3CTRqYosuDstRB9un7SOx2k/9ckA=
+filippo.io/age v1.0.0-beta7 h1:RZiSK+N3KL2UwT82xiCavjYw8jJHzWMEUYePAukTpk0=
+filippo.io/age v1.0.0-beta7/go.mod h1:chAuTrTb0FTTmKtvs6fQTGhYTvH9AigjN1uEUsvLdZ0=
+filippo.io/edwards25519 v1.0.0-alpha.2/go.mod h1:X+pm78QAUPtFLi1z9PYIlS/bdDnvbCOGKtZ+ACWEf7o=
 github.com/Azure/azure-sdk-for-go v31.2.0+incompatible h1:kZFnTLmdQYNGfakatSivKHUfUnDZhqNdchHD4oIhp5k=
 github.com/Azure/azure-sdk-for-go v31.2.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
@@ -21,7 +23,6 @@ github.com/Azure/go-autorest/autorest/azure/cli v0.1.0 h1:YTtBrcb6mhA+PoSW8WxFDo
 github.com/Azure/go-autorest/autorest/azure/cli v0.1.0/go.mod h1:Dk8CUAt/b/PzkfeRsWzVG9Yj3ps8mS8ECztu43rdU8U=
 github.com/Azure/go-autorest/autorest/date v0.1.0 h1:YGrhWfrgtFs84+h0o46rJrlmsZtyZRg470CqAXTZaGM=
 github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
-github.com/Azure/go-autorest/autorest/mocks v0.1.0 h1:Kx+AUU2Te+A3JIyYn6Dfs+cFgx5XorQKuIXrZGoq/SI=
 github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
 github.com/Azure/go-autorest/autorest/mocks v0.2.0 h1:Ww5g4zThfD/6cLb4z6xxgeyDa7QDkizMkJKe0ysZXp0=
 github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
@@ -31,7 +32,6 @@ github.com/Azure/go-autorest/autorest/validation v0.2.0 h1:15vMO4y76dehZSq7pAaOL
 github.com/Azure/go-autorest/autorest/validation v0.2.0/go.mod h1:3EEqHnBxQGHXRYq3HT1WyXAvT7LLY3tl70hw6tQIbjI=
 github.com/Azure/go-autorest/logger v0.1.0 h1:ruG4BSDXONFRrZZJ2GUXDiUyVpayPmb1GnWeHDdaNKY=
 github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
-github.com/Azure/go-autorest/tracing v0.1.0 h1:TRBxC5Pj/fIuh4Qob0ZpkggbfT8RC0SubHbpV3p4/Vc=
 github.com/Azure/go-autorest/tracing v0.1.0/go.mod h1:ROEEAFwXycQw7Sn3DXNtEedEvdeRAgDr0izn4z5Ij88=
 github.com/Azure/go-autorest/tracing v0.5.0 h1:TRn4WjSnkcSy5AEG3pnbtFSwNtwzjr4VYyQflFE619k=
 github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
@@ -43,23 +43,21 @@ github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEV
 github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk=
 github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
 github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
-github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc h1:cAKDfWh5VpdgMhJosfJnn5/FoN2SRZ4p7fJNX58YPaU=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf h1:qet1QNfXsQxTZqLG4oE62mJzwPIB8+Tee4RNCL9ulrY=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/aws/aws-sdk-go v1.33.18 h1:Ccy1SV2SsgJU3rfrD+SOhQ0jvuzfrFuja/oKI86ruPw=
-github.com/aws/aws-sdk-go v1.33.18/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
+github.com/aws/aws-sdk-go v1.37.18 h1:SRdWLg+DqMFWX8HB3UvXyAoZpw9IDIUYnSTwgzOYbqg=
+github.com/aws/aws-sdk-go v1.37.18/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
 github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
-github.com/census-instrumentation/opencensus-proto v0.2.0 h1:LzQXZOgg4CQfE6bFvXGM30YZL1WW/M337pXml+GrcZ4=
 github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc h1:TP+534wVlf61smEIq1nwLLAjQVEK2EADoW3CX9AuT+8=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
@@ -77,6 +75,8 @@ github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDD
 github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
 github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
 github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
@@ -85,7 +85,6 @@ github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeME
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-ldap/ldap v3.0.2+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
-github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-test/deep v1.0.2-0.20181118220953-042da051cf31/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
@@ -97,16 +96,25 @@ github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfb
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1 h1:ZFgWrT+bLgsYPirOnRfKLYJLvssAegOj/hgyMFdJZe0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.1 h1:Qgr9rKW7uDUkrbSmQeiDsGa8SjGyCOGtuasMWwvp2P4=
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0 h1:/QaMHBdZ26BB3SSst0Iwl10Epc+xhTquomWX0oZEB6w=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
@@ -124,7 +132,6 @@ github.com/gotestyourself/gotestyourself v2.2.0+incompatible h1:AQwinXlbQR2HvPjQ
 github.com/gotestyourself/gotestyourself v2.2.0+incompatible/go.mod h1:zZKM6oeNM8k+FRljX1mnzVYeS8wiGgQyvST1/GafPbY=
 github.com/goware/prefixer v0.0.0-20160118172347-395022866408 h1:Y9iQJfEqnN3/Nce9cOegemcy/9Ai5k3huT6E80F3zaw=
 github.com/goware/prefixer v0.0.0-20160118172347-395022866408/go.mod h1:PE1ycukgRPJ7bJ9a1fdfQ9j8i/cEcRAoLZzbxYpNB/s=
-github.com/grpc-ecosystem/grpc-gateway v1.8.5 h1:2+KSC78XiO6Qy0hIjfc1OD9H+hsaJdJlb8Kqsd41CTE=
 github.com/grpc-ecosystem/grpc-gateway v1.8.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -160,8 +167,10 @@ github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKe
 github.com/howeyc/gopass v0.0.0-20170109162249-bf9dde6d0d2c h1:kQWxfPIHVLbgLzphqk3QUflDy9QdksZR4ygR807bpy0=
 github.com/howeyc/gopass v0.0.0-20170109162249-bf9dde6d0d2c/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/jmespath/go-jmespath v0.3.0 h1:OS12ieG61fsCg5+qLJ+SsW9NicxNkg3b25OyT2yCeUc=
-github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik=
+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
@@ -193,8 +202,6 @@ github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUb
 github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/mozilla-services/yaml v0.0.0-20191106225358-5c216288813c h1:yE1NxRAZA3wF0laDWECtOe2J0tFjSHUI6MXXbMif+QY=
-github.com/mozilla-services/yaml v0.0.0-20191106225358-5c216288813c/go.mod h1:Is/Ucts/yU/mWyGR8yELRoO46mejouKsJfQLAIfTR18=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
@@ -213,7 +220,6 @@ github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144T
 github.com/pierrec/lz4 v2.0.5+incompatible h1:2xWsjqPFWcplujydGg4WmhC/6fZqK42wMM8aXeqhl0I=
 github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -224,7 +230,7 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP
 github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/common v0.2.0 h1:kUZDBDTdBVBYBj5Tmh2NZLlF60mfjA27rM34b+cVwNU=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
@@ -233,6 +239,8 @@ github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6So
 github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
+github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
+github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
@@ -245,13 +253,10 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/objx v0.1.1 h1:2vfRuCMp5sSVIDSqO8oNnWJq7mPa6KVP3iPIwFBuy8A=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/vektra/mockery v1.1.2 h1:uc0Yn67rJpjt8U/mAZimdCKn9AeA97BOkjpmtBSlfP4=
-github.com/vektra/mockery v1.1.2/go.mod h1:VcfZjKaFOPO+MpN4ZvwPjs4c48lkq1o3Ym8yHZJu0jU=
-github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a h1:N7VD+PwpJME2ZfQT8+ejxwA4Ow10IkGbU0MGf94ll8k=
 go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a/go.mod h1:YDKUvO0b//78PaaEro6CAPH6NqohCmL2Cwju5XI2HoE=
 go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
@@ -263,10 +268,10 @@ golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnf
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190418165655-df01cb2cc480/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4 h1:HuIa8hRrWRSrqYzx1qI49NNxhdi2PrY7gxVSq1JjLDc=
-golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 h1:/ZScEX8SfEmUGRHs0gxpqteO5nfNW6axyZbBdw9A12g=
+golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
@@ -276,8 +281,6 @@ golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTk
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
-golang.org/x/mod v0.2.0 h1:KU7oHjnv3XNWfa5COkzUifxZmxp1TyI7ImMXqFxLwvQ=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -292,10 +295,8 @@ golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200202094626-16171245cfb2 h1:CCH4IOTTfewWjGOlSp+zGcjutRKlBEZQ6wTn8ozI/nI=
-golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b h1:0mm1VjtFUOIlE1SbDlwjYaDxZVDP2S5ou6y0gSgXHu8=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME=
+golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
@@ -304,9 +305,7 @@ golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -323,13 +322,19 @@ golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0 h1:HyfiK1WMnHj5FXFXatD+Qs1A/xC2Run6RzeW1SyHxpc=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43 h1:SgQ6LNaYJU0JIuEHv9+s6EbhSCwYeAf5Yvj6lpYlqAE=
+golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 h1:/ZHdbVpdR/jk3g30/d4yUL0JU9kksj8+F/bnQUVLGDM=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -346,11 +351,6 @@ golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBn
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200323144430-8dcfad9e016e h1:ssd5ulOvVWlh4kDSUF2SqzmMeWfjmwDXM+uGw/aQjRE=
-golang.org/x/tools v0.0.0-20200323144430-8dcfad9e016e/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk=
@@ -368,8 +368,10 @@ google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107/go.mod h1:VzzqZJRn
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190716160619-c506a9f90610 h1:Ygq9/SRJX9+dU0WCIICM8RkWvDw03lvB77hrhJnpxfU=
 google.golang.org/genproto v0.0.0-20190716160619-c506a9f90610/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 h1:+kGHl1aib/qcwaRi1CbqBZ1rk19r85MNUf8HaBghugY=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
@@ -377,14 +379,24 @@ google.golang.org/grpc v1.19.1/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZi
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.22.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.22.1 h1:/7cs52RnTJmD43s3uxzlq2U7nqVTd/37viQwMrMNlOM=
-google.golang.org/grpc v1.22.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.27.0 h1:rRYRFMVgRv6E0D70Skyfsr28tDXIuuPZyWGMPdMcnXg=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
+google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/ini.v1 v1.44.0 h1:YRJzTUp0kSYWUVFF5XAbDFfyiqwsl0Vb9R8TVP5eRi0=
 gopkg.in/ini.v1 v1.44.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
@@ -396,8 +408,12 @@ gopkg.in/urfave/cli.v1 v1.20.0 h1:NdAVW6RYxDif9DhDHaAortIu956m2c0v+09AZBPTbE0=
 gopkg.in/urfave/cli.v1 v1.20.0/go.mod h1:vuBzUtMdQeixQj8LVd+/98pzhxNGQoyuPBlsXHOQNO0=
 gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20210107172259-749611fa9fcc h1:XANm4xAMEQhRdWKqaL0qmhGDv7RuobwCO97TIlktaQE=
+gopkg.in/yaml.v3 v3.0.0-20210107172259-749611fa9fcc/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
diff --git a/hcvault/keysource.go b/hcvault/keysource.go
index 4d436f0dd..5078df619 100644
--- a/hcvault/keysource.go
+++ b/hcvault/keysource.go
@@ -123,7 +123,7 @@ func vaultClient(address string) (*api.Client, error) {
 	cfg.Address = address
 	cli, err := api.NewClient(cfg)
 	if err != nil {
-		return nil, fmt.Errorf("Cannot create Vault Client: %v", err)
+		return nil, fmt.Errorf("Cannot create Vault Client: %w", err)
 	}
 	if cli.Token() != "" {
 		return cli, nil
@@ -239,7 +239,7 @@ func (key *MasterKey) createVaultTransitAndKey() error {
 		return err
 	}
 	if err != nil {
-		return fmt.Errorf("Cannot create Vault Client: %v", err)
+		return fmt.Errorf("Cannot create Vault Client: %w", err)
 	}
 	err = cli.Sys().Mount(key.EnginePath, &api.MountInput{
 		Type:        "transit",
diff --git a/hcvault/keysource_test.go b/hcvault/keysource_test.go
index f8682af66..9290acc1a 100644
--- a/hcvault/keysource_test.go
+++ b/hcvault/keysource_test.go
@@ -31,7 +31,7 @@ func TestMain(m *testing.M) {
 	if err := pool.Retry(func() error {
 		cli, err := api.NewClient(api.DefaultConfig())
 		if err != nil {
-			return fmt.Errorf("Cannot create Vault Client: %v", err)
+			return fmt.Errorf("Cannot create Vault Client: %w", err)
 		}
 		status, err := cli.Sys().InitStatus()
 		if err != nil {
diff --git a/keyservice/keyservice.go b/keyservice/keyservice.go
index f60e15822..103e3e6dc 100644
--- a/keyservice/keyservice.go
+++ b/keyservice/keyservice.go
@@ -7,6 +7,7 @@ package keyservice
 import (
 	"fmt"
 
+	"go.mozilla.org/sops/v3/age"
 	"go.mozilla.org/sops/v3/azkv"
 	"go.mozilla.org/sops/v3/gcpkms"
 	"go.mozilla.org/sops/v3/hcvault"
@@ -69,6 +70,14 @@ func KeyFromMasterKey(mk keys.MasterKey) Key {
 				},
 			},
 		}
+	case *age.MasterKey:
+		return Key{
+			KeyType: &Key_AgeKey{
+				AgeKey: &AgeKey{
+					Recipient: mk.Recipient,
+				},
+			},
+		}
 	default:
 		panic(fmt.Sprintf("Tried to convert unknown MasterKey type %T to keyservice.Key", mk))
 	}
diff --git a/keyservice/keyservice.pb.go b/keyservice/keyservice.pb.go
index c8177144b..ead3ccfd1 100644
--- a/keyservice/keyservice.pb.go
+++ b/keyservice/keyservice.pb.go
@@ -1,67 +1,129 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.23.0
+// 	protoc        v3.13.0
 // source: keyservice/keyservice.proto
 
 package keyservice
 
 import (
 	context "context"
-	fmt "fmt"
-	math "math"
-
 	proto "github.com/golang/protobuf/proto"
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package
+// This is a compile-time assertion that a sufficiently up-to-date version
+// of the legacy proto package is being used.
+const _ = proto.ProtoPackageIsVersion4
 
 type Key struct {
-	// Types that are valid to be assigned to KeyType:
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// Types that are assignable to KeyType:
 	//	*Key_KmsKey
 	//	*Key_PgpKey
 	//	*Key_GcpKmsKey
 	//	*Key_AzureKeyvaultKey
 	//	*Key_VaultKey
-	KeyType              isKey_KeyType `protobuf_oneof:"key_type"`
-	XXX_NoUnkeyedLiteral struct{}      `json:"-"`
-	XXX_unrecognized     []byte        `json:"-"`
-	XXX_sizecache        int32         `json:"-"`
+	//	*Key_AgeKey
+	KeyType isKey_KeyType `protobuf_oneof:"key_type"`
+}
+
+func (x *Key) Reset() {
+	*x = Key{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_keyservice_keyservice_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Key) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Key) ProtoMessage() {}
+
+func (x *Key) ProtoReflect() protoreflect.Message {
+	mi := &file_keyservice_keyservice_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
 }
 
-func (m *Key) Reset()         { *m = Key{} }
-func (m *Key) String() string { return proto.CompactTextString(m) }
-func (*Key) ProtoMessage()    {}
+// Deprecated: Use Key.ProtoReflect.Descriptor instead.
 func (*Key) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8c1e2c407c293790, []int{0}
+	return file_keyservice_keyservice_proto_rawDescGZIP(), []int{0}
 }
 
-func (m *Key) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Key.Unmarshal(m, b)
+func (m *Key) GetKeyType() isKey_KeyType {
+	if m != nil {
+		return m.KeyType
+	}
+	return nil
 }
-func (m *Key) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Key.Marshal(b, m, deterministic)
+
+func (x *Key) GetKmsKey() *KmsKey {
+	if x, ok := x.GetKeyType().(*Key_KmsKey); ok {
+		return x.KmsKey
+	}
+	return nil
+}
+
+func (x *Key) GetPgpKey() *PgpKey {
+	if x, ok := x.GetKeyType().(*Key_PgpKey); ok {
+		return x.PgpKey
+	}
+	return nil
 }
-func (m *Key) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Key.Merge(m, src)
+
+func (x *Key) GetGcpKmsKey() *GcpKmsKey {
+	if x, ok := x.GetKeyType().(*Key_GcpKmsKey); ok {
+		return x.GcpKmsKey
+	}
+	return nil
 }
-func (m *Key) XXX_Size() int {
-	return xxx_messageInfo_Key.Size(m)
+
+func (x *Key) GetAzureKeyvaultKey() *AzureKeyVaultKey {
+	if x, ok := x.GetKeyType().(*Key_AzureKeyvaultKey); ok {
+		return x.AzureKeyvaultKey
+	}
+	return nil
 }
-func (m *Key) XXX_DiscardUnknown() {
-	xxx_messageInfo_Key.DiscardUnknown(m)
+
+func (x *Key) GetVaultKey() *VaultKey {
+	if x, ok := x.GetKeyType().(*Key_VaultKey); ok {
+		return x.VaultKey
+	}
+	return nil
 }
 
-var xxx_messageInfo_Key proto.InternalMessageInfo
+func (x *Key) GetAgeKey() *AgeKey {
+	if x, ok := x.GetKeyType().(*Key_AgeKey); ok {
+		return x.AgeKey
+	}
+	return nil
+}
 
 type isKey_KeyType interface {
 	isKey_KeyType()
@@ -87,6 +149,10 @@ type Key_VaultKey struct {
 	VaultKey *VaultKey `protobuf:"bytes,5,opt,name=vault_key,json=vaultKey,proto3,oneof"`
 }
 
+type Key_AgeKey struct {
+	AgeKey *AgeKey `protobuf:"bytes,6,opt,name=age_key,json=ageKey,proto3,oneof"`
+}
+
 func (*Key_KmsKey) isKey_KeyType() {}
 
 func (*Key_PgpKey) isKey_KeyType() {}
@@ -97,545 +163,852 @@ func (*Key_AzureKeyvaultKey) isKey_KeyType() {}
 
 func (*Key_VaultKey) isKey_KeyType() {}
 
-func (m *Key) GetKeyType() isKey_KeyType {
-	if m != nil {
-		return m.KeyType
-	}
-	return nil
-}
+func (*Key_AgeKey) isKey_KeyType() {}
 
-func (m *Key) GetKmsKey() *KmsKey {
-	if x, ok := m.GetKeyType().(*Key_KmsKey); ok {
-		return x.KmsKey
-	}
-	return nil
-}
+type PgpKey struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
 
-func (m *Key) GetPgpKey() *PgpKey {
-	if x, ok := m.GetKeyType().(*Key_PgpKey); ok {
-		return x.PgpKey
-	}
-	return nil
+	Fingerprint string `protobuf:"bytes,1,opt,name=fingerprint,proto3" json:"fingerprint,omitempty"`
 }
 
-func (m *Key) GetGcpKmsKey() *GcpKmsKey {
-	if x, ok := m.GetKeyType().(*Key_GcpKmsKey); ok {
-		return x.GcpKmsKey
+func (x *PgpKey) Reset() {
+	*x = PgpKey{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_keyservice_keyservice_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
 	}
-	return nil
 }
 
-func (m *Key) GetAzureKeyvaultKey() *AzureKeyVaultKey {
-	if x, ok := m.GetKeyType().(*Key_AzureKeyvaultKey); ok {
-		return x.AzureKeyvaultKey
-	}
-	return nil
+func (x *PgpKey) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
 
-func (m *Key) GetVaultKey() *VaultKey {
-	if x, ok := m.GetKeyType().(*Key_VaultKey); ok {
-		return x.VaultKey
-	}
-	return nil
-}
+func (*PgpKey) ProtoMessage() {}
 
-// XXX_OneofWrappers is for the internal use of the proto package.
-func (*Key) XXX_OneofWrappers() []interface{} {
-	return []interface{}{
-		(*Key_KmsKey)(nil),
-		(*Key_PgpKey)(nil),
-		(*Key_GcpKmsKey)(nil),
-		(*Key_AzureKeyvaultKey)(nil),
-		(*Key_VaultKey)(nil),
+func (x *PgpKey) ProtoReflect() protoreflect.Message {
+	mi := &file_keyservice_keyservice_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
 	}
+	return mi.MessageOf(x)
 }
 
-type PgpKey struct {
-	Fingerprint          string   `protobuf:"bytes,1,opt,name=fingerprint,proto3" json:"fingerprint,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *PgpKey) Reset()         { *m = PgpKey{} }
-func (m *PgpKey) String() string { return proto.CompactTextString(m) }
-func (*PgpKey) ProtoMessage()    {}
+// Deprecated: Use PgpKey.ProtoReflect.Descriptor instead.
 func (*PgpKey) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8c1e2c407c293790, []int{1}
+	return file_keyservice_keyservice_proto_rawDescGZIP(), []int{1}
 }
 
-func (m *PgpKey) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_PgpKey.Unmarshal(m, b)
-}
-func (m *PgpKey) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_PgpKey.Marshal(b, m, deterministic)
-}
-func (m *PgpKey) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PgpKey.Merge(m, src)
-}
-func (m *PgpKey) XXX_Size() int {
-	return xxx_messageInfo_PgpKey.Size(m)
-}
-func (m *PgpKey) XXX_DiscardUnknown() {
-	xxx_messageInfo_PgpKey.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PgpKey proto.InternalMessageInfo
-
-func (m *PgpKey) GetFingerprint() string {
-	if m != nil {
-		return m.Fingerprint
+func (x *PgpKey) GetFingerprint() string {
+	if x != nil {
+		return x.Fingerprint
 	}
 	return ""
 }
 
 type KmsKey struct {
-	Arn                  string            `protobuf:"bytes,1,opt,name=arn,proto3" json:"arn,omitempty"`
-	Role                 string            `protobuf:"bytes,2,opt,name=role,proto3" json:"role,omitempty"`
-	Context              map[string]string `protobuf:"bytes,3,rep,name=context,proto3" json:"context,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	AwsProfile           string            `protobuf:"bytes,4,opt,name=aws_profile,json=awsProfile,proto3" json:"aws_profile,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
-	XXX_unrecognized     []byte            `json:"-"`
-	XXX_sizecache        int32             `json:"-"`
-}
-
-func (m *KmsKey) Reset()         { *m = KmsKey{} }
-func (m *KmsKey) String() string { return proto.CompactTextString(m) }
-func (*KmsKey) ProtoMessage()    {}
-func (*KmsKey) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8c1e2c407c293790, []int{2}
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Arn        string            `protobuf:"bytes,1,opt,name=arn,proto3" json:"arn,omitempty"`
+	Role       string            `protobuf:"bytes,2,opt,name=role,proto3" json:"role,omitempty"`
+	Context    map[string]string `protobuf:"bytes,3,rep,name=context,proto3" json:"context,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	AwsProfile string            `protobuf:"bytes,4,opt,name=aws_profile,json=awsProfile,proto3" json:"aws_profile,omitempty"`
+}
+
+func (x *KmsKey) Reset() {
+	*x = KmsKey{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_keyservice_keyservice_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
 }
 
-func (m *KmsKey) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_KmsKey.Unmarshal(m, b)
-}
-func (m *KmsKey) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_KmsKey.Marshal(b, m, deterministic)
-}
-func (m *KmsKey) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_KmsKey.Merge(m, src)
+func (x *KmsKey) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *KmsKey) XXX_Size() int {
-	return xxx_messageInfo_KmsKey.Size(m)
-}
-func (m *KmsKey) XXX_DiscardUnknown() {
-	xxx_messageInfo_KmsKey.DiscardUnknown(m)
+
+func (*KmsKey) ProtoMessage() {}
+
+func (x *KmsKey) ProtoReflect() protoreflect.Message {
+	mi := &file_keyservice_keyservice_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_KmsKey proto.InternalMessageInfo
+// Deprecated: Use KmsKey.ProtoReflect.Descriptor instead.
+func (*KmsKey) Descriptor() ([]byte, []int) {
+	return file_keyservice_keyservice_proto_rawDescGZIP(), []int{2}
+}
 
-func (m *KmsKey) GetArn() string {
-	if m != nil {
-		return m.Arn
+func (x *KmsKey) GetArn() string {
+	if x != nil {
+		return x.Arn
 	}
 	return ""
 }
 
-func (m *KmsKey) GetRole() string {
-	if m != nil {
-		return m.Role
+func (x *KmsKey) GetRole() string {
+	if x != nil {
+		return x.Role
 	}
 	return ""
 }
 
-func (m *KmsKey) GetContext() map[string]string {
-	if m != nil {
-		return m.Context
+func (x *KmsKey) GetContext() map[string]string {
+	if x != nil {
+		return x.Context
 	}
 	return nil
 }
 
-func (m *KmsKey) GetAwsProfile() string {
-	if m != nil {
-		return m.AwsProfile
+func (x *KmsKey) GetAwsProfile() string {
+	if x != nil {
+		return x.AwsProfile
 	}
 	return ""
 }
 
 type GcpKmsKey struct {
-	ResourceId           string   `protobuf:"bytes,1,opt,name=resource_id,json=resourceId,proto3" json:"resource_id,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
 
-func (m *GcpKmsKey) Reset()         { *m = GcpKmsKey{} }
-func (m *GcpKmsKey) String() string { return proto.CompactTextString(m) }
-func (*GcpKmsKey) ProtoMessage()    {}
-func (*GcpKmsKey) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8c1e2c407c293790, []int{3}
+	ResourceId string `protobuf:"bytes,1,opt,name=resource_id,json=resourceId,proto3" json:"resource_id,omitempty"`
 }
 
-func (m *GcpKmsKey) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_GcpKmsKey.Unmarshal(m, b)
-}
-func (m *GcpKmsKey) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_GcpKmsKey.Marshal(b, m, deterministic)
-}
-func (m *GcpKmsKey) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GcpKmsKey.Merge(m, src)
+func (x *GcpKmsKey) Reset() {
+	*x = GcpKmsKey{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_keyservice_keyservice_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
 }
-func (m *GcpKmsKey) XXX_Size() int {
-	return xxx_messageInfo_GcpKmsKey.Size(m)
+
+func (x *GcpKmsKey) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *GcpKmsKey) XXX_DiscardUnknown() {
-	xxx_messageInfo_GcpKmsKey.DiscardUnknown(m)
+
+func (*GcpKmsKey) ProtoMessage() {}
+
+func (x *GcpKmsKey) ProtoReflect() protoreflect.Message {
+	mi := &file_keyservice_keyservice_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_GcpKmsKey proto.InternalMessageInfo
+// Deprecated: Use GcpKmsKey.ProtoReflect.Descriptor instead.
+func (*GcpKmsKey) Descriptor() ([]byte, []int) {
+	return file_keyservice_keyservice_proto_rawDescGZIP(), []int{3}
+}
 
-func (m *GcpKmsKey) GetResourceId() string {
-	if m != nil {
-		return m.ResourceId
+func (x *GcpKmsKey) GetResourceId() string {
+	if x != nil {
+		return x.ResourceId
 	}
 	return ""
 }
 
 type VaultKey struct {
-	VaultAddress         string   `protobuf:"bytes,1,opt,name=vault_address,json=vaultAddress,proto3" json:"vault_address,omitempty"`
-	EnginePath           string   `protobuf:"bytes,2,opt,name=engine_path,json=enginePath,proto3" json:"engine_path,omitempty"`
-	KeyName              string   `protobuf:"bytes,3,opt,name=key_name,json=keyName,proto3" json:"key_name,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
 
-func (m *VaultKey) Reset()         { *m = VaultKey{} }
-func (m *VaultKey) String() string { return proto.CompactTextString(m) }
-func (*VaultKey) ProtoMessage()    {}
-func (*VaultKey) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8c1e2c407c293790, []int{4}
+	VaultAddress string `protobuf:"bytes,1,opt,name=vault_address,json=vaultAddress,proto3" json:"vault_address,omitempty"`
+	EnginePath   string `protobuf:"bytes,2,opt,name=engine_path,json=enginePath,proto3" json:"engine_path,omitempty"`
+	KeyName      string `protobuf:"bytes,3,opt,name=key_name,json=keyName,proto3" json:"key_name,omitempty"`
 }
 
-func (m *VaultKey) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_VaultKey.Unmarshal(m, b)
-}
-func (m *VaultKey) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_VaultKey.Marshal(b, m, deterministic)
-}
-func (m *VaultKey) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VaultKey.Merge(m, src)
+func (x *VaultKey) Reset() {
+	*x = VaultKey{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_keyservice_keyservice_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
 }
-func (m *VaultKey) XXX_Size() int {
-	return xxx_messageInfo_VaultKey.Size(m)
+
+func (x *VaultKey) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *VaultKey) XXX_DiscardUnknown() {
-	xxx_messageInfo_VaultKey.DiscardUnknown(m)
+
+func (*VaultKey) ProtoMessage() {}
+
+func (x *VaultKey) ProtoReflect() protoreflect.Message {
+	mi := &file_keyservice_keyservice_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_VaultKey proto.InternalMessageInfo
+// Deprecated: Use VaultKey.ProtoReflect.Descriptor instead.
+func (*VaultKey) Descriptor() ([]byte, []int) {
+	return file_keyservice_keyservice_proto_rawDescGZIP(), []int{4}
+}
 
-func (m *VaultKey) GetVaultAddress() string {
-	if m != nil {
-		return m.VaultAddress
+func (x *VaultKey) GetVaultAddress() string {
+	if x != nil {
+		return x.VaultAddress
 	}
 	return ""
 }
 
-func (m *VaultKey) GetEnginePath() string {
-	if m != nil {
-		return m.EnginePath
+func (x *VaultKey) GetEnginePath() string {
+	if x != nil {
+		return x.EnginePath
 	}
 	return ""
 }
 
-func (m *VaultKey) GetKeyName() string {
-	if m != nil {
-		return m.KeyName
+func (x *VaultKey) GetKeyName() string {
+	if x != nil {
+		return x.KeyName
 	}
 	return ""
 }
 
 type AzureKeyVaultKey struct {
-	VaultUrl             string   `protobuf:"bytes,1,opt,name=vault_url,json=vaultUrl,proto3" json:"vault_url,omitempty"`
-	Name                 string   `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
-	Version              string   `protobuf:"bytes,3,opt,name=version,proto3" json:"version,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
 
-func (m *AzureKeyVaultKey) Reset()         { *m = AzureKeyVaultKey{} }
-func (m *AzureKeyVaultKey) String() string { return proto.CompactTextString(m) }
-func (*AzureKeyVaultKey) ProtoMessage()    {}
-func (*AzureKeyVaultKey) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8c1e2c407c293790, []int{5}
+	VaultUrl string `protobuf:"bytes,1,opt,name=vault_url,json=vaultUrl,proto3" json:"vault_url,omitempty"`
+	Name     string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
+	Version  string `protobuf:"bytes,3,opt,name=version,proto3" json:"version,omitempty"`
 }
 
-func (m *AzureKeyVaultKey) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_AzureKeyVaultKey.Unmarshal(m, b)
-}
-func (m *AzureKeyVaultKey) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_AzureKeyVaultKey.Marshal(b, m, deterministic)
-}
-func (m *AzureKeyVaultKey) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AzureKeyVaultKey.Merge(m, src)
+func (x *AzureKeyVaultKey) Reset() {
+	*x = AzureKeyVaultKey{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_keyservice_keyservice_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
 }
-func (m *AzureKeyVaultKey) XXX_Size() int {
-	return xxx_messageInfo_AzureKeyVaultKey.Size(m)
+
+func (x *AzureKeyVaultKey) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *AzureKeyVaultKey) XXX_DiscardUnknown() {
-	xxx_messageInfo_AzureKeyVaultKey.DiscardUnknown(m)
+
+func (*AzureKeyVaultKey) ProtoMessage() {}
+
+func (x *AzureKeyVaultKey) ProtoReflect() protoreflect.Message {
+	mi := &file_keyservice_keyservice_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_AzureKeyVaultKey proto.InternalMessageInfo
+// Deprecated: Use AzureKeyVaultKey.ProtoReflect.Descriptor instead.
+func (*AzureKeyVaultKey) Descriptor() ([]byte, []int) {
+	return file_keyservice_keyservice_proto_rawDescGZIP(), []int{5}
+}
 
-func (m *AzureKeyVaultKey) GetVaultUrl() string {
-	if m != nil {
-		return m.VaultUrl
+func (x *AzureKeyVaultKey) GetVaultUrl() string {
+	if x != nil {
+		return x.VaultUrl
 	}
 	return ""
 }
 
-func (m *AzureKeyVaultKey) GetName() string {
-	if m != nil {
-		return m.Name
+func (x *AzureKeyVaultKey) GetName() string {
+	if x != nil {
+		return x.Name
 	}
 	return ""
 }
 
-func (m *AzureKeyVaultKey) GetVersion() string {
-	if m != nil {
-		return m.Version
+func (x *AzureKeyVaultKey) GetVersion() string {
+	if x != nil {
+		return x.Version
 	}
 	return ""
 }
 
-type EncryptRequest struct {
-	Key                  *Key     `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
-	Plaintext            []byte   `protobuf:"bytes,2,opt,name=plaintext,proto3" json:"plaintext,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
+type AgeKey struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Recipient string `protobuf:"bytes,1,opt,name=recipient,proto3" json:"recipient,omitempty"`
 }
 
-func (m *EncryptRequest) Reset()         { *m = EncryptRequest{} }
-func (m *EncryptRequest) String() string { return proto.CompactTextString(m) }
-func (*EncryptRequest) ProtoMessage()    {}
-func (*EncryptRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8c1e2c407c293790, []int{6}
+func (x *AgeKey) Reset() {
+	*x = AgeKey{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_keyservice_keyservice_proto_msgTypes[6]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *AgeKey) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*AgeKey) ProtoMessage() {}
+
+func (x *AgeKey) ProtoReflect() protoreflect.Message {
+	mi := &file_keyservice_keyservice_proto_msgTypes[6]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
 }
 
-func (m *EncryptRequest) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_EncryptRequest.Unmarshal(m, b)
+// Deprecated: Use AgeKey.ProtoReflect.Descriptor instead.
+func (*AgeKey) Descriptor() ([]byte, []int) {
+	return file_keyservice_keyservice_proto_rawDescGZIP(), []int{6}
 }
-func (m *EncryptRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_EncryptRequest.Marshal(b, m, deterministic)
+
+func (x *AgeKey) GetRecipient() string {
+	if x != nil {
+		return x.Recipient
+	}
+	return ""
 }
-func (m *EncryptRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EncryptRequest.Merge(m, src)
+
+type EncryptRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Key       *Key   `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
+	Plaintext []byte `protobuf:"bytes,2,opt,name=plaintext,proto3" json:"plaintext,omitempty"`
 }
-func (m *EncryptRequest) XXX_Size() int {
-	return xxx_messageInfo_EncryptRequest.Size(m)
+
+func (x *EncryptRequest) Reset() {
+	*x = EncryptRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_keyservice_keyservice_proto_msgTypes[7]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
 }
-func (m *EncryptRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_EncryptRequest.DiscardUnknown(m)
+
+func (x *EncryptRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
 
-var xxx_messageInfo_EncryptRequest proto.InternalMessageInfo
+func (*EncryptRequest) ProtoMessage() {}
 
-func (m *EncryptRequest) GetKey() *Key {
-	if m != nil {
-		return m.Key
+func (x *EncryptRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_keyservice_keyservice_proto_msgTypes[7]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use EncryptRequest.ProtoReflect.Descriptor instead.
+func (*EncryptRequest) Descriptor() ([]byte, []int) {
+	return file_keyservice_keyservice_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *EncryptRequest) GetKey() *Key {
+	if x != nil {
+		return x.Key
 	}
 	return nil
 }
 
-func (m *EncryptRequest) GetPlaintext() []byte {
-	if m != nil {
-		return m.Plaintext
+func (x *EncryptRequest) GetPlaintext() []byte {
+	if x != nil {
+		return x.Plaintext
 	}
 	return nil
 }
 
 type EncryptResponse struct {
-	Ciphertext           []byte   `protobuf:"bytes,1,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
 
-func (m *EncryptResponse) Reset()         { *m = EncryptResponse{} }
-func (m *EncryptResponse) String() string { return proto.CompactTextString(m) }
-func (*EncryptResponse) ProtoMessage()    {}
-func (*EncryptResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8c1e2c407c293790, []int{7}
+	Ciphertext []byte `protobuf:"bytes,1,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"`
 }
 
-func (m *EncryptResponse) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_EncryptResponse.Unmarshal(m, b)
-}
-func (m *EncryptResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_EncryptResponse.Marshal(b, m, deterministic)
-}
-func (m *EncryptResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EncryptResponse.Merge(m, src)
+func (x *EncryptResponse) Reset() {
+	*x = EncryptResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_keyservice_keyservice_proto_msgTypes[8]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
 }
-func (m *EncryptResponse) XXX_Size() int {
-	return xxx_messageInfo_EncryptResponse.Size(m)
+
+func (x *EncryptResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *EncryptResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_EncryptResponse.DiscardUnknown(m)
+
+func (*EncryptResponse) ProtoMessage() {}
+
+func (x *EncryptResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_keyservice_keyservice_proto_msgTypes[8]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_EncryptResponse proto.InternalMessageInfo
+// Deprecated: Use EncryptResponse.ProtoReflect.Descriptor instead.
+func (*EncryptResponse) Descriptor() ([]byte, []int) {
+	return file_keyservice_keyservice_proto_rawDescGZIP(), []int{8}
+}
 
-func (m *EncryptResponse) GetCiphertext() []byte {
-	if m != nil {
-		return m.Ciphertext
+func (x *EncryptResponse) GetCiphertext() []byte {
+	if x != nil {
+		return x.Ciphertext
 	}
 	return nil
 }
 
 type DecryptRequest struct {
-	Key                  *Key     `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
-	Ciphertext           []byte   `protobuf:"bytes,2,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
 
-func (m *DecryptRequest) Reset()         { *m = DecryptRequest{} }
-func (m *DecryptRequest) String() string { return proto.CompactTextString(m) }
-func (*DecryptRequest) ProtoMessage()    {}
-func (*DecryptRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8c1e2c407c293790, []int{8}
+	Key        *Key   `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
+	Ciphertext []byte `protobuf:"bytes,2,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"`
 }
 
-func (m *DecryptRequest) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_DecryptRequest.Unmarshal(m, b)
-}
-func (m *DecryptRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_DecryptRequest.Marshal(b, m, deterministic)
-}
-func (m *DecryptRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DecryptRequest.Merge(m, src)
+func (x *DecryptRequest) Reset() {
+	*x = DecryptRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_keyservice_keyservice_proto_msgTypes[9]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
 }
-func (m *DecryptRequest) XXX_Size() int {
-	return xxx_messageInfo_DecryptRequest.Size(m)
+
+func (x *DecryptRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *DecryptRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_DecryptRequest.DiscardUnknown(m)
+
+func (*DecryptRequest) ProtoMessage() {}
+
+func (x *DecryptRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_keyservice_keyservice_proto_msgTypes[9]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_DecryptRequest proto.InternalMessageInfo
+// Deprecated: Use DecryptRequest.ProtoReflect.Descriptor instead.
+func (*DecryptRequest) Descriptor() ([]byte, []int) {
+	return file_keyservice_keyservice_proto_rawDescGZIP(), []int{9}
+}
 
-func (m *DecryptRequest) GetKey() *Key {
-	if m != nil {
-		return m.Key
+func (x *DecryptRequest) GetKey() *Key {
+	if x != nil {
+		return x.Key
 	}
 	return nil
 }
 
-func (m *DecryptRequest) GetCiphertext() []byte {
-	if m != nil {
-		return m.Ciphertext
+func (x *DecryptRequest) GetCiphertext() []byte {
+	if x != nil {
+		return x.Ciphertext
 	}
 	return nil
 }
 
 type DecryptResponse struct {
-	Plaintext            []byte   `protobuf:"bytes,1,opt,name=plaintext,proto3" json:"plaintext,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
 
-func (m *DecryptResponse) Reset()         { *m = DecryptResponse{} }
-func (m *DecryptResponse) String() string { return proto.CompactTextString(m) }
-func (*DecryptResponse) ProtoMessage()    {}
-func (*DecryptResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8c1e2c407c293790, []int{9}
+	Plaintext []byte `protobuf:"bytes,1,opt,name=plaintext,proto3" json:"plaintext,omitempty"`
 }
 
-func (m *DecryptResponse) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_DecryptResponse.Unmarshal(m, b)
-}
-func (m *DecryptResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_DecryptResponse.Marshal(b, m, deterministic)
-}
-func (m *DecryptResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DecryptResponse.Merge(m, src)
+func (x *DecryptResponse) Reset() {
+	*x = DecryptResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_keyservice_keyservice_proto_msgTypes[10]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
 }
-func (m *DecryptResponse) XXX_Size() int {
-	return xxx_messageInfo_DecryptResponse.Size(m)
+
+func (x *DecryptResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *DecryptResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_DecryptResponse.DiscardUnknown(m)
+
+func (*DecryptResponse) ProtoMessage() {}
+
+func (x *DecryptResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_keyservice_keyservice_proto_msgTypes[10]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_DecryptResponse proto.InternalMessageInfo
+// Deprecated: Use DecryptResponse.ProtoReflect.Descriptor instead.
+func (*DecryptResponse) Descriptor() ([]byte, []int) {
+	return file_keyservice_keyservice_proto_rawDescGZIP(), []int{10}
+}
 
-func (m *DecryptResponse) GetPlaintext() []byte {
-	if m != nil {
-		return m.Plaintext
+func (x *DecryptResponse) GetPlaintext() []byte {
+	if x != nil {
+		return x.Plaintext
 	}
 	return nil
 }
 
-func init() {
-	proto.RegisterType((*Key)(nil), "Key")
-	proto.RegisterType((*PgpKey)(nil), "PgpKey")
-	proto.RegisterType((*KmsKey)(nil), "KmsKey")
-	proto.RegisterMapType((map[string]string)(nil), "KmsKey.ContextEntry")
-	proto.RegisterType((*GcpKmsKey)(nil), "GcpKmsKey")
-	proto.RegisterType((*VaultKey)(nil), "VaultKey")
-	proto.RegisterType((*AzureKeyVaultKey)(nil), "AzureKeyVaultKey")
-	proto.RegisterType((*EncryptRequest)(nil), "EncryptRequest")
-	proto.RegisterType((*EncryptResponse)(nil), "EncryptResponse")
-	proto.RegisterType((*DecryptRequest)(nil), "DecryptRequest")
-	proto.RegisterType((*DecryptResponse)(nil), "DecryptResponse")
-}
-
-func init() { proto.RegisterFile("keyservice/keyservice.proto", fileDescriptor_8c1e2c407c293790) }
-
-var fileDescriptor_8c1e2c407c293790 = []byte{
-	// 574 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x54, 0x5d, 0x6f, 0xd3, 0x30,
-	0x14, 0x5d, 0xd6, 0xad, 0x5d, 0x6e, 0xca, 0x5a, 0xac, 0x09, 0x8d, 0x0d, 0xc1, 0x30, 0x2f, 0x13,
-	0x9a, 0x3c, 0x51, 0x5e, 0xd0, 0xde, 0x06, 0x0c, 0x86, 0x2a, 0xa1, 0x29, 0x08, 0xde, 0x50, 0xe5,
-	0xa5, 0x77, 0x6d, 0x94, 0x34, 0x31, 0x76, 0xd2, 0x61, 0xfe, 0x1a, 0x7f, 0x8b, 0x1f, 0x80, 0xfc,
-	0x91, 0x7e, 0xf1, 0xc2, 0xdb, 0xf5, 0xc9, 0x39, 0xe7, 0x5e, 0x9f, 0xeb, 0x16, 0x8e, 0x33, 0xd4,
-	0x0a, 0xe5, 0x3c, 0x4d, 0xf0, 0x7c, 0x59, 0x32, 0x21, 0xcb, 0xaa, 0xa4, 0x7f, 0x02, 0x68, 0x0d,
-	0x51, 0x13, 0x0a, 0x9d, 0x6c, 0xa6, 0x46, 0x19, 0xea, 0xc3, 0xe0, 0x24, 0x38, 0x8d, 0x06, 0x1d,
-	0x36, 0x9c, 0xa9, 0x21, 0xea, 0xeb, 0xad, 0xb8, 0x9d, 0xd9, 0xca, 0x70, 0xc4, 0x44, 0x58, 0xce,
-	0xb6, 0xe7, 0xdc, 0x4c, 0x84, 0xe7, 0x08, 0x5b, 0x91, 0x33, 0x88, 0x26, 0x89, 0x18, 0x35, 0x5e,
-	0x2d, 0xcb, 0x03, 0xf6, 0x31, 0x11, 0x0b, 0xbb, 0x70, 0xd2, 0x1c, 0xc8, 0x25, 0x10, 0xfe, 0xab,
-	0x96, 0x68, 0xb8, 0x73, 0x5e, 0xe7, 0x95, 0x15, 0xed, 0x58, 0xd1, 0x43, 0x76, 0x69, 0x3e, 0x0d,
-	0x51, 0x7f, 0x33, 0x5f, 0x9c, 0xb6, 0xcf, 0x3d, 0x36, 0xf7, 0x18, 0x39, 0x85, 0x70, 0xa9, 0xdc,
-	0xb5, 0xca, 0x90, 0xad, 0x28, 0xf6, 0x1a, 0xe6, 0x5b, 0x80, 0xbd, 0x0c, 0xf5, 0xa8, 0xd2, 0x02,
-	0xe9, 0x4b, 0x68, 0xbb, 0xd1, 0xc9, 0x09, 0x44, 0x77, 0x69, 0x31, 0x41, 0x29, 0x64, 0x5a, 0x54,
-	0xf6, 0xf2, 0x61, 0xbc, 0x0a, 0xd1, 0xdf, 0x01, 0xb4, 0xfd, 0xbc, 0x7d, 0x68, 0x71, 0x59, 0x78,
-	0x92, 0x29, 0x09, 0x81, 0x1d, 0x59, 0xe6, 0x68, 0x03, 0x09, 0x63, 0x5b, 0x13, 0x06, 0x9d, 0xa4,
-	0x2c, 0x2a, 0xfc, 0x59, 0x1d, 0xb6, 0x4e, 0x5a, 0xa7, 0xd1, 0xe0, 0xc0, 0x67, 0xc9, 0xde, 0x39,
-	0xf8, 0xaa, 0xa8, 0xa4, 0x8e, 0x1b, 0x12, 0x79, 0x06, 0x11, 0xbf, 0x57, 0x23, 0x21, 0xcb, 0xbb,
-	0x34, 0x47, 0x7b, 0xfd, 0x30, 0x06, 0x7e, 0xaf, 0x6e, 0x1c, 0x72, 0x74, 0x01, 0xdd, 0x55, 0xa5,
-	0x19, 0xa3, 0x59, 0x54, 0x18, 0x9b, 0x92, 0x1c, 0xc0, 0xee, 0x9c, 0xe7, 0x75, 0x33, 0x87, 0x3b,
-	0x5c, 0x6c, 0xbf, 0x09, 0xe8, 0x19, 0x84, 0x8b, 0xf0, 0x4d, 0x27, 0x89, 0xaa, 0xac, 0x65, 0x82,
-	0xa3, 0x74, 0xec, 0x0d, 0xa0, 0x81, 0x3e, 0x8d, 0xe9, 0x0c, 0xf6, 0x9a, 0xec, 0xc8, 0x0b, 0x78,
-	0xe0, 0x92, 0xe5, 0xe3, 0xb1, 0x44, 0xa5, 0x3c, 0xbd, 0x6b, 0xc1, 0x4b, 0x87, 0x91, 0xe7, 0xd0,
-	0xbd, 0xe5, 0x49, 0x86, 0xc5, 0x78, 0x24, 0x78, 0x35, 0xf5, 0xfd, 0x23, 0x8f, 0xdd, 0xf0, 0x6a,
-	0x4a, 0x1e, 0xbb, 0xdc, 0x0b, 0x3e, 0x43, 0xfb, 0x1e, 0xc2, 0xb8, 0x93, 0xa1, 0xfe, 0xcc, 0x67,
-	0x48, 0xbf, 0x43, 0x7f, 0x73, 0xc9, 0xe4, 0xb8, 0x59, 0x68, 0x2d, 0x73, 0xdf, 0xd2, 0xed, 0xf0,
-	0xab, 0xcc, 0x4d, 0xdc, 0xd6, 0xc7, 0xc7, 0x6d, 0x6a, 0x72, 0x08, 0x9d, 0x39, 0x4a, 0x95, 0x96,
-	0x45, 0x63, 0xef, 0x8f, 0xf4, 0x03, 0xec, 0x5f, 0x15, 0x89, 0xd4, 0xa2, 0x8a, 0xf1, 0x47, 0x8d,
-	0xaa, 0x22, 0x8f, 0x96, 0xc9, 0x45, 0x83, 0x1d, 0x36, 0x44, 0xed, 0xf2, 0x7b, 0x02, 0xa1, 0xc8,
-	0x79, 0xea, 0x96, 0x66, 0xcc, 0xbb, 0xf1, 0x12, 0xa0, 0xaf, 0xa0, 0xb7, 0xf0, 0x51, 0xa2, 0x2c,
-	0x14, 0x92, 0xa7, 0x00, 0x49, 0x2a, 0xa6, 0x28, 0xad, 0x22, 0xb0, 0x8a, 0x15, 0x84, 0x5e, 0xc3,
-	0xfe, 0x7b, 0xfc, 0xaf, 0xd6, 0xeb, 0x4e, 0xdb, 0xff, 0x38, 0x9d, 0x43, 0x6f, 0xe1, 0xe4, 0x9b,
-	0xaf, 0x4d, 0x1b, 0x6c, 0x4c, 0x3b, 0xc8, 0x01, 0x86, 0xa8, 0xbf, 0xb8, 0x9f, 0xb9, 0x79, 0x8c,
-	0x7e, 0x76, 0xd2, 0x63, 0xeb, 0x69, 0x1c, 0xf5, 0xd9, 0xc6, 0xb5, 0xe8, 0x96, 0xe1, 0xfb, 0x76,
-	0xa4, 0xc7, 0xd6, 0xaf, 0x70, 0xd4, 0x67, 0x1b, 0x93, 0xd0, 0xad, 0xdb, 0xb6, 0xfd, 0x1f, 0x79,
-	0xfd, 0x37, 0x00, 0x00, 0xff, 0xff, 0x9b, 0x65, 0x80, 0xa7, 0x66, 0x04, 0x00, 0x00,
+var File_keyservice_keyservice_proto protoreflect.FileDescriptor
+
+var file_keyservice_keyservice_proto_rawDesc = []byte{
+	0x0a, 0x1b, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x6b, 0x65, 0x79,
+	0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x98, 0x02,
+	0x0a, 0x03, 0x4b, 0x65, 0x79, 0x12, 0x22, 0x0a, 0x07, 0x6b, 0x6d, 0x73, 0x5f, 0x6b, 0x65, 0x79,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x07, 0x2e, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x48,
+	0x00, 0x52, 0x06, 0x6b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x22, 0x0a, 0x07, 0x70, 0x67, 0x70,
+	0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x07, 0x2e, 0x50, 0x67, 0x70,
+	0x4b, 0x65, 0x79, 0x48, 0x00, 0x52, 0x06, 0x70, 0x67, 0x70, 0x4b, 0x65, 0x79, 0x12, 0x2c, 0x0a,
+	0x0b, 0x67, 0x63, 0x70, 0x5f, 0x6b, 0x6d, 0x73, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x0a, 0x2e, 0x47, 0x63, 0x70, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x48, 0x00,
+	0x52, 0x09, 0x67, 0x63, 0x70, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x41, 0x0a, 0x12, 0x61,
+	0x7a, 0x75, 0x72, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x6b, 0x65,
+	0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x4b,
+	0x65, 0x79, 0x56, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x48, 0x00, 0x52, 0x10, 0x61, 0x7a,
+	0x75, 0x72, 0x65, 0x4b, 0x65, 0x79, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x28,
+	0x0a, 0x09, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x05, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x09, 0x2e, 0x56, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x48, 0x00, 0x52, 0x08,
+	0x76, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x22, 0x0a, 0x07, 0x61, 0x67, 0x65, 0x5f,
+	0x6b, 0x65, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x07, 0x2e, 0x41, 0x67, 0x65, 0x4b,
+	0x65, 0x79, 0x48, 0x00, 0x52, 0x06, 0x61, 0x67, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x0a, 0x0a, 0x08,
+	0x6b, 0x65, 0x79, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x22, 0x2a, 0x0a, 0x06, 0x50, 0x67, 0x70, 0x4b,
+	0x65, 0x79, 0x12, 0x20, 0x0a, 0x0b, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e,
+	0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70,
+	0x72, 0x69, 0x6e, 0x74, 0x22, 0xbb, 0x01, 0x0a, 0x06, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x12,
+	0x10, 0x0a, 0x03, 0x61, 0x72, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x61, 0x72,
+	0x6e, 0x12, 0x12, 0x0a, 0x04, 0x72, 0x6f, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x04, 0x72, 0x6f, 0x6c, 0x65, 0x12, 0x2e, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74,
+	0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x2e,
+	0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x63, 0x6f,
+	0x6e, 0x74, 0x65, 0x78, 0x74, 0x12, 0x1f, 0x0a, 0x0b, 0x61, 0x77, 0x73, 0x5f, 0x70, 0x72, 0x6f,
+	0x66, 0x69, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x61, 0x77, 0x73, 0x50,
+	0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x1a, 0x3a, 0x0a, 0x0c, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78,
+	0x74, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
+	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02,
+	0x38, 0x01, 0x22, 0x2c, 0x0a, 0x09, 0x47, 0x63, 0x70, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x12,
+	0x1f, 0x0a, 0x0b, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x49, 0x64,
+	0x22, 0x6b, 0x0a, 0x08, 0x56, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x23, 0x0a, 0x0d,
+	0x76, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x0c, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73,
+	0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x65, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x5f, 0x70, 0x61, 0x74, 0x68,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x65, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x50, 0x61,
+	0x74, 0x68, 0x12, 0x19, 0x0a, 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6b, 0x65, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x5d, 0x0a,
+	0x10, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x4b, 0x65, 0x79, 0x56, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65,
+	0x79, 0x12, 0x1b, 0x0a, 0x09, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x55, 0x72, 0x6c, 0x12, 0x12,
+	0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61,
+	0x6d, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x26, 0x0a, 0x06,
+	0x41, 0x67, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x1c, 0x0a, 0x09, 0x72, 0x65, 0x63, 0x69, 0x70, 0x69,
+	0x65, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x72, 0x65, 0x63, 0x69, 0x70,
+	0x69, 0x65, 0x6e, 0x74, 0x22, 0x46, 0x0a, 0x0e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x16, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x0b, 0x32, 0x04, 0x2e, 0x4b, 0x65, 0x79, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x1c,
+	0x0a, 0x09, 0x70, 0x6c, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x0c, 0x52, 0x09, 0x70, 0x6c, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x22, 0x31, 0x0a, 0x0f,
+	0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12,
+	0x1e, 0x0a, 0x0a, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x74, 0x65, 0x78, 0x74, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x0c, 0x52, 0x0a, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x74, 0x65, 0x78, 0x74, 0x22,
+	0x48, 0x0a, 0x0e, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x12, 0x16, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x04,
+	0x2e, 0x4b, 0x65, 0x79, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x1e, 0x0a, 0x0a, 0x63, 0x69, 0x70,
+	0x68, 0x65, 0x72, 0x74, 0x65, 0x78, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x63,
+	0x69, 0x70, 0x68, 0x65, 0x72, 0x74, 0x65, 0x78, 0x74, 0x22, 0x2f, 0x0a, 0x0f, 0x44, 0x65, 0x63,
+	0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1c, 0x0a, 0x09,
+	0x70, 0x6c, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52,
+	0x09, 0x70, 0x6c, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x32, 0x6c, 0x0a, 0x0a, 0x4b, 0x65,
+	0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x2e, 0x0a, 0x07, 0x45, 0x6e, 0x63, 0x72,
+	0x79, 0x70, 0x74, 0x12, 0x0f, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x2e, 0x0a, 0x07, 0x44, 0x65, 0x63, 0x72,
+	0x79, 0x70, 0x74, 0x12, 0x0f, 0x2e, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_keyservice_keyservice_proto_rawDescOnce sync.Once
+	file_keyservice_keyservice_proto_rawDescData = file_keyservice_keyservice_proto_rawDesc
+)
+
+func file_keyservice_keyservice_proto_rawDescGZIP() []byte {
+	file_keyservice_keyservice_proto_rawDescOnce.Do(func() {
+		file_keyservice_keyservice_proto_rawDescData = protoimpl.X.CompressGZIP(file_keyservice_keyservice_proto_rawDescData)
+	})
+	return file_keyservice_keyservice_proto_rawDescData
+}
+
+var file_keyservice_keyservice_proto_msgTypes = make([]protoimpl.MessageInfo, 12)
+var file_keyservice_keyservice_proto_goTypes = []interface{}{
+	(*Key)(nil),              // 0: Key
+	(*PgpKey)(nil),           // 1: PgpKey
+	(*KmsKey)(nil),           // 2: KmsKey
+	(*GcpKmsKey)(nil),        // 3: GcpKmsKey
+	(*VaultKey)(nil),         // 4: VaultKey
+	(*AzureKeyVaultKey)(nil), // 5: AzureKeyVaultKey
+	(*AgeKey)(nil),           // 6: AgeKey
+	(*EncryptRequest)(nil),   // 7: EncryptRequest
+	(*EncryptResponse)(nil),  // 8: EncryptResponse
+	(*DecryptRequest)(nil),   // 9: DecryptRequest
+	(*DecryptResponse)(nil),  // 10: DecryptResponse
+	nil,                      // 11: KmsKey.ContextEntry
+}
+var file_keyservice_keyservice_proto_depIdxs = []int32{
+	2,  // 0: Key.kms_key:type_name -> KmsKey
+	1,  // 1: Key.pgp_key:type_name -> PgpKey
+	3,  // 2: Key.gcp_kms_key:type_name -> GcpKmsKey
+	5,  // 3: Key.azure_keyvault_key:type_name -> AzureKeyVaultKey
+	4,  // 4: Key.vault_key:type_name -> VaultKey
+	6,  // 5: Key.age_key:type_name -> AgeKey
+	11, // 6: KmsKey.context:type_name -> KmsKey.ContextEntry
+	0,  // 7: EncryptRequest.key:type_name -> Key
+	0,  // 8: DecryptRequest.key:type_name -> Key
+	7,  // 9: KeyService.Encrypt:input_type -> EncryptRequest
+	9,  // 10: KeyService.Decrypt:input_type -> DecryptRequest
+	8,  // 11: KeyService.Encrypt:output_type -> EncryptResponse
+	10, // 12: KeyService.Decrypt:output_type -> DecryptResponse
+	11, // [11:13] is the sub-list for method output_type
+	9,  // [9:11] is the sub-list for method input_type
+	9,  // [9:9] is the sub-list for extension type_name
+	9,  // [9:9] is the sub-list for extension extendee
+	0,  // [0:9] is the sub-list for field type_name
+}
+
+func init() { file_keyservice_keyservice_proto_init() }
+func file_keyservice_keyservice_proto_init() {
+	if File_keyservice_keyservice_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_keyservice_keyservice_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Key); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_keyservice_keyservice_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*PgpKey); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_keyservice_keyservice_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*KmsKey); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_keyservice_keyservice_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GcpKmsKey); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_keyservice_keyservice_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*VaultKey); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_keyservice_keyservice_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*AzureKeyVaultKey); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_keyservice_keyservice_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*AgeKey); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_keyservice_keyservice_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*EncryptRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_keyservice_keyservice_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*EncryptResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_keyservice_keyservice_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DecryptRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_keyservice_keyservice_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DecryptResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	file_keyservice_keyservice_proto_msgTypes[0].OneofWrappers = []interface{}{
+		(*Key_KmsKey)(nil),
+		(*Key_PgpKey)(nil),
+		(*Key_GcpKmsKey)(nil),
+		(*Key_AzureKeyvaultKey)(nil),
+		(*Key_VaultKey)(nil),
+		(*Key_AgeKey)(nil),
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_keyservice_keyservice_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   12,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_keyservice_keyservice_proto_goTypes,
+		DependencyIndexes: file_keyservice_keyservice_proto_depIdxs,
+		MessageInfos:      file_keyservice_keyservice_proto_msgTypes,
+	}.Build()
+	File_keyservice_keyservice_proto = out.File
+	file_keyservice_keyservice_proto_rawDesc = nil
+	file_keyservice_keyservice_proto_goTypes = nil
+	file_keyservice_keyservice_proto_depIdxs = nil
 }
 
 // Reference imports to suppress errors if they are not otherwise used.
 var _ context.Context
-var _ grpc.ClientConn
+var _ grpc.ClientConnInterface
 
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.
-const _ = grpc.SupportPackageIsVersion4
+const _ = grpc.SupportPackageIsVersion6
 
 // KeyServiceClient is the client API for KeyService service.
 //
@@ -646,10 +1019,10 @@ type KeyServiceClient interface {
 }
 
 type keyServiceClient struct {
-	cc *grpc.ClientConn
+	cc grpc.ClientConnInterface
 }
 
-func NewKeyServiceClient(cc *grpc.ClientConn) KeyServiceClient {
+func NewKeyServiceClient(cc grpc.ClientConnInterface) KeyServiceClient {
 	return &keyServiceClient{cc}
 }
 
@@ -681,10 +1054,10 @@ type KeyServiceServer interface {
 type UnimplementedKeyServiceServer struct {
 }
 
-func (*UnimplementedKeyServiceServer) Encrypt(ctx context.Context, req *EncryptRequest) (*EncryptResponse, error) {
+func (*UnimplementedKeyServiceServer) Encrypt(context.Context, *EncryptRequest) (*EncryptResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Encrypt not implemented")
 }
-func (*UnimplementedKeyServiceServer) Decrypt(ctx context.Context, req *DecryptRequest) (*DecryptResponse, error) {
+func (*UnimplementedKeyServiceServer) Decrypt(context.Context, *DecryptRequest) (*DecryptResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Decrypt not implemented")
 }
 
diff --git a/keyservice/keyservice.proto b/keyservice/keyservice.proto
index a6f5e436f..1d91a5709 100644
--- a/keyservice/keyservice.proto
+++ b/keyservice/keyservice.proto
@@ -7,6 +7,7 @@ message Key {
 		GcpKmsKey gcp_kms_key = 3;
 		AzureKeyVaultKey azure_keyvault_key = 4;
 		VaultKey vault_key = 5;
+		AgeKey age_key = 6;
 	}
 }
 
@@ -37,6 +38,10 @@ message AzureKeyVaultKey {
 	string version = 3;
 }
 
+message AgeKey {
+	string recipient = 1;
+}
+
 message EncryptRequest {
 	Key key = 1;
 	bytes plaintext = 2;
diff --git a/keyservice/server.go b/keyservice/server.go
index d2734bd97..08249ff24 100644
--- a/keyservice/server.go
+++ b/keyservice/server.go
@@ -3,6 +3,7 @@ package keyservice
 import (
 	"fmt"
 
+	"go.mozilla.org/sops/v3/age"
 	"go.mozilla.org/sops/v3/azkv"
 	"go.mozilla.org/sops/v3/gcpkms"
 	"go.mozilla.org/sops/v3/hcvault"
@@ -75,6 +76,18 @@ func (ks *Server) encryptWithVault(key *VaultKey, plaintext []byte) ([]byte, err
 	return []byte(vaultKey.EncryptedKey), nil
 }
 
+func (ks *Server) encryptWithAge(key *AgeKey, plaintext []byte) ([]byte, error) {
+	ageKey := age.MasterKey{
+		Recipient: key.Recipient,
+	}
+
+	if err := ageKey.Encrypt(plaintext); err != nil {
+		return nil, err
+	}
+
+	return []byte(ageKey.EncryptedKey), nil
+}
+
 func (ks *Server) decryptWithPgp(key *PgpKey, ciphertext []byte) ([]byte, error) {
 	pgpKey := pgp.NewMasterKeyFromFingerprint(key.Fingerprint)
 	pgpKey.EncryptedKey = string(ciphertext)
@@ -120,6 +133,15 @@ func (ks *Server) decryptWithVault(key *VaultKey, ciphertext []byte) ([]byte, er
 	return []byte(plaintext), err
 }
 
+func (ks *Server) decryptWithAge(key *AgeKey, ciphertext []byte) ([]byte, error) {
+	ageKey := age.MasterKey{
+		Recipient: key.Recipient,
+	}
+	ageKey.EncryptedKey = string(ciphertext)
+	plaintext, err := ageKey.Decrypt()
+	return []byte(plaintext), err
+}
+
 // Encrypt takes an encrypt request and encrypts the provided plaintext with the provided key, returning the encrypted
 // result
 func (ks Server) Encrypt(ctx context.Context,
@@ -167,6 +189,14 @@ func (ks Server) Encrypt(ctx context.Context,
 		response = &EncryptResponse{
 			Ciphertext: ciphertext,
 		}
+	case *Key_AgeKey:
+		ciphertext, err := ks.encryptWithAge(k.AgeKey, req.Plaintext)
+		if err != nil {
+			return nil, err
+		}
+		response = &EncryptResponse{
+			Ciphertext: ciphertext,
+		}
 	case nil:
 		return nil, status.Errorf(codes.NotFound, "Must provide a key")
 	default:
@@ -261,6 +291,14 @@ func (ks Server) Decrypt(ctx context.Context,
 		response = &DecryptResponse{
 			Plaintext: plaintext,
 		}
+	case *Key_AgeKey:
+		plaintext, err := ks.decryptWithAge(k.AgeKey, req.Ciphertext)
+		if err != nil {
+			return nil, err
+		}
+		response = &DecryptResponse{
+			Plaintext: plaintext,
+		}
 	case nil:
 		return nil, grpc.Errorf(codes.NotFound, "Must provide a key")
 	default:
diff --git a/kms/keysource.go b/kms/keysource.go
index 9fa8172e8..a602aac25 100644
--- a/kms/keysource.go
+++ b/kms/keysource.go
@@ -63,14 +63,14 @@ func (key *MasterKey) Encrypt(dataKey []byte) error {
 		sess, err := key.createSession()
 		if err != nil {
 			log.WithField("arn", key.Arn).Info("Encryption failed")
-			return fmt.Errorf("Failed to create session: %v", err)
+			return fmt.Errorf("Failed to create session: %w", err)
 		}
 		kmsSvc = kms.New(sess)
 	}
 	out, err := kmsSvc.Encrypt(&kms.EncryptInput{Plaintext: dataKey, KeyId: &key.Arn, EncryptionContext: key.EncryptionContext})
 	if err != nil {
 		log.WithField("arn", key.Arn).Info("Encryption failed")
-		return fmt.Errorf("Failed to call KMS encryption service: %v", err)
+		return fmt.Errorf("Failed to call KMS encryption service: %w", err)
 	}
 	key.EncryptedKey = base64.StdEncoding.EncodeToString(out.CiphertextBlob)
 	log.WithField("arn", key.Arn).Info("Encryption succeeded")
@@ -98,14 +98,14 @@ func (key *MasterKey) Decrypt() ([]byte, error) {
 		sess, err := key.createSession()
 		if err != nil {
 			log.WithField("arn", key.Arn).Info("Decryption failed")
-			return nil, fmt.Errorf("Error creating AWS session: %v", err)
+			return nil, fmt.Errorf("Error creating AWS session: %w", err)
 		}
 		kmsSvc = kms.New(sess)
 	}
 	decrypted, err := kmsSvc.Decrypt(&kms.DecryptInput{CiphertextBlob: k, EncryptionContext: key.EncryptionContext})
 	if err != nil {
 		log.WithField("arn", key.Arn).Info("Decryption failed")
-		return nil, fmt.Errorf("Error decrypting key: %v", err)
+		return nil, fmt.Errorf("Error decrypting key: %w", err)
 	}
 	log.WithField("arn", key.Arn).Info("Decryption succeeded")
 	return decrypted.Plaintext, nil
@@ -167,7 +167,7 @@ func (key MasterKey) createStsSession(config aws.Config, sess *session.Session)
 	}
 	stsRoleSessionNameRe, err := regexp.Compile("[^a-zA-Z0-9=,.@-]+")
 	if err != nil {
-		return nil, fmt.Errorf("Failed to compile STS role session name regex: %v", err)
+		return nil, fmt.Errorf("Failed to compile STS role session name regex: %w", err)
 	}
 	sanitizedHostname := stsRoleSessionNameRe.ReplaceAllString(hostname, "")
 	stsService := sts.New(sess)
@@ -175,13 +175,13 @@ func (key MasterKey) createStsSession(config aws.Config, sess *session.Session)
 	out, err := stsService.AssumeRole(&sts.AssumeRoleInput{
 		RoleArn: &key.Role, RoleSessionName: &name})
 	if err != nil {
-		return nil, fmt.Errorf("Failed to assume role %q: %v", key.Role, err)
+		return nil, fmt.Errorf("Failed to assume role %q: %w", key.Role, err)
 	}
 	config.Credentials = credentials.NewStaticCredentials(*out.Credentials.AccessKeyId,
 		*out.Credentials.SecretAccessKey, *out.Credentials.SessionToken)
 	sess, err = session.NewSession(&config)
 	if err != nil {
-		return nil, fmt.Errorf("Failed to create new aws session: %v", err)
+		return nil, fmt.Errorf("Failed to create new aws session: %w", err)
 	}
 	return sess, nil
 }
diff --git a/pgp/keysource.go b/pgp/keysource.go
index fd092339c..f025c66a2 100644
--- a/pgp/keysource.go
+++ b/pgp/keysource.go
@@ -80,14 +80,14 @@ func (key *MasterKey) encryptWithGPGBinary(dataKey []byte) error {
 	cmd.Stderr = &stderr
 	err := cmd.Run()
 	if err != nil {
-		return err
+		return fmt.Errorf("gpg binary failed with error: %s, %s", err, stderr.String())
 	}
 	key.EncryptedKey = stdout.String()
 	return nil
 }
 
 func getKeyFromKeyServer(fingerprint string) (openpgp.Entity, error) {
-	log.Warn("Deprecation Warning: GPG key fetching from a keyserver witihin sops will be removed in a future version of sops. See https://github.com/mozilla/sops/issues/727 for more information.")
+	log.Warn("Deprecation Warning: GPG key fetching from a keyserver within sops will be removed in a future version of sops. See https://github.com/mozilla/sops/issues/727 for more information.")
 
 	url := fmt.Sprintf("https://keys.openpgp.org/vks/v1/by-fingerprint/%s", fingerprint)
 	resp, err := http.Get(url)
diff --git a/pgp/keysource_test.go b/pgp/keysource_test.go
index ff9abb7fd..0c10996d1 100644
--- a/pgp/keysource_test.go
+++ b/pgp/keysource_test.go
@@ -15,12 +15,12 @@ func TestPGP(t *testing.T) {
 			return true
 		}
 		if err := key.Encrypt(x); err != nil {
-			t.Errorf("Failed to encrypt: %#v err: %v", x, err)
+			t.Errorf("Failed to encrypt: %#v err: %w", x, err)
 			return false
 		}
 		k, err := key.Decrypt()
 		if err != nil {
-			t.Errorf("Failed to decrypt: %#v err: %v", x, err)
+			t.Errorf("Failed to decrypt: %#v err: %w", x, err)
 			return false
 		}
 		return bytes.Equal(x, k)
diff --git a/shamir/shamir.go b/shamir/shamir.go
index e44da6120..10d7bc3ba 100644
--- a/shamir/shamir.go
+++ b/shamir/shamir.go
@@ -215,7 +215,7 @@ func Split(secret []byte, parts, threshold int) ([][]byte, error) {
 		// This polynomial crosses the y axis at `val`.
 		p, err := makePolynomial(val, uint8(threshold-1))
 		if err != nil {
-			return nil, fmt.Errorf("failed to generate polynomial: %v", err)
+			return nil, fmt.Errorf("failed to generate polynomial: %w", err)
 		}
 
 		// Generate a `parts` number of (x,y) pairs
diff --git a/sops.go b/sops.go
index a41f4a2d1..a6caa0df8 100644
--- a/sops.go
+++ b/sops.go
@@ -596,7 +596,7 @@ func (m *Metadata) UpdateMasterKeysWithKeyServices(dataKey []byte, svcs []keyser
 					Plaintext: part,
 				})
 				if err != nil {
-					keyErrs = append(keyErrs, fmt.Errorf("failed to encrypt new data key with master key %q: %v", key.ToString(), err))
+					keyErrs = append(keyErrs, fmt.Errorf("failed to encrypt new data key with master key %q: %w", key.ToString(), err))
 					continue
 				}
 				key.SetEncryptedDataKey(rsp.Ciphertext)
diff --git a/stores/ini/store.go b/stores/ini/store.go
index fce92597a..df5405294 100644
--- a/stores/ini/store.go
+++ b/stores/ini/store.go
@@ -5,7 +5,6 @@ import (
 	"encoding/json"
 	"fmt"
 
-	"reflect"
 	"strconv"
 	"strings"
 
@@ -252,56 +251,6 @@ func (store *Store) encodeMetadataToIniBranch(md stores.Metadata) (sops.TreeBran
 	return branch, nil
 }
 
-func encodeMetadataItem(prefix string, kind reflect.Kind, field reflect.Value) (map[string]interface{}, error) {
-
-	result := make(map[string]interface{}, 0)
-
-	switch kind {
-	case reflect.Slice:
-		slf := field
-		for j := 0; j < slf.Len(); j++ {
-			item := slf.Index(j)
-			p := fmt.Sprintf("%s[%d]", prefix, j)
-			r, err := encodeMetadataItem(p, item.Type().Kind(), item)
-			if err != nil {
-				return result, err
-			}
-			for k, v := range r {
-				result[k] = v
-			}
-		}
-	case reflect.Struct:
-		for i := 0; i < field.NumField(); i++ {
-			sf := field.Type().Field(i)
-			var name string
-			if prefix == "" {
-				name = sf.Name
-			} else {
-				name = fmt.Sprintf("%s.%s", prefix, sf.Name)
-			}
-			r, err := encodeMetadataItem(name, sf.Type.Kind(), field.Field(i))
-			if err != nil {
-				return result, err
-			}
-			for k, v := range r {
-				result[k] = v
-			}
-		}
-	case reflect.Int:
-		if field.Int() != 0 {
-			result[prefix] = string(field.Int())
-		}
-	case reflect.String:
-		if field.String() != "" {
-			result[prefix] = strings.Replace(field.String(), "\n", "\\n", -1)
-		}
-	default:
-		return result, fmt.Errorf("Cannot encode %s, unexpected type %s", prefix, kind)
-	}
-
-	return result, nil
-}
-
 // EmitPlainFile returns the plaintext INI file bytes corresponding to a sops.TreeBranches object
 func (store *Store) EmitPlainFile(in sops.TreeBranches) ([]byte, error) {
 	out, err := store.iniFromTreeBranches(in)
diff --git a/stores/stores.go b/stores/stores.go
index 236940fb2..da8781ab2 100644
--- a/stores/stores.go
+++ b/stores/stores.go
@@ -15,6 +15,7 @@ import (
 	"fmt"
 
 	"go.mozilla.org/sops/v3"
+	"go.mozilla.org/sops/v3/age"
 	"go.mozilla.org/sops/v3/azkv"
 	"go.mozilla.org/sops/v3/gcpkms"
 	"go.mozilla.org/sops/v3/hcvault"
@@ -42,6 +43,7 @@ type Metadata struct {
 	GCPKMSKeys                []gcpkmskey `yaml:"gcp_kms" json:"gcp_kms"`
 	AzureKeyVaultKeys         []azkvkey   `yaml:"azure_kv" json:"azure_kv"`
 	VaultKeys                 []vaultkey  `yaml:"hc_vault" json:"hc_vault"`
+	AgeKeys                   []agekey    `yaml:"age" json:"age"`
 	LastModified              string      `yaml:"lastmodified" json:"lastmodified"`
 	MessageAuthenticationCode string      `yaml:"mac" json:"mac"`
 	PGPKeys                   []pgpkey    `yaml:"pgp" json:"pgp"`
@@ -58,6 +60,7 @@ type keygroup struct {
 	GCPKMSKeys        []gcpkmskey `yaml:"gcp_kms,omitempty" json:"gcp_kms,omitempty"`
 	AzureKeyVaultKeys []azkvkey   `yaml:"azure_kv,omitempty" json:"azure_kv,omitempty"`
 	VaultKeys         []vaultkey  `yaml:"hc_vault" json:"hc_vault"`
+	AgeKeys           []agekey    `yaml:"age" json:"age"`
 }
 
 type pgpkey struct {
@@ -97,6 +100,11 @@ type azkvkey struct {
 	EncryptedDataKey string `yaml:"enc" json:"enc"`
 }
 
+type agekey struct {
+	Recipient        string `yaml:"recipient" json:"recipient"`
+	EncryptedDataKey string `yaml:"enc" json:"enc"`
+}
+
 // MetadataFromInternal converts an internal SOPS metadata representation to a representation appropriate for storage
 func MetadataFromInternal(sopsMetadata sops.Metadata) Metadata {
 	var m Metadata
@@ -115,6 +123,7 @@ func MetadataFromInternal(sopsMetadata sops.Metadata) Metadata {
 		m.GCPKMSKeys = gcpkmsKeysFromGroup(group)
 		m.VaultKeys = vaultKeysFromGroup(group)
 		m.AzureKeyVaultKeys = azkvKeysFromGroup(group)
+		m.AgeKeys = ageKeysFromGroup(group)
 	} else {
 		for _, group := range sopsMetadata.KeyGroups {
 			m.KeyGroups = append(m.KeyGroups, keygroup{
@@ -123,6 +132,7 @@ func MetadataFromInternal(sopsMetadata sops.Metadata) Metadata {
 				GCPKMSKeys:        gcpkmsKeysFromGroup(group),
 				VaultKeys:         vaultKeysFromGroup(group),
 				AzureKeyVaultKeys: azkvKeysFromGroup(group),
+				AgeKeys:           ageKeysFromGroup(group),
 			})
 		}
 	}
@@ -206,6 +216,19 @@ func azkvKeysFromGroup(group sops.KeyGroup) (keys []azkvkey) {
 	return
 }
 
+func ageKeysFromGroup(group sops.KeyGroup) (keys []agekey) {
+	for _, key := range group {
+		switch key := key.(type) {
+		case *age.MasterKey:
+			keys = append(keys, agekey{
+				Recipient:        key.Recipient,
+				EncryptedDataKey: key.EncryptedKey,
+			})
+		}
+	}
+	return
+}
+
 // ToInternal converts a storage-appropriate Metadata struct to a SOPS internal representation
 func (m *Metadata) ToInternal() (sops.Metadata, error) {
 	lastModified, err := time.Parse(time.RFC3339, m.LastModified)
@@ -251,7 +274,7 @@ func (m *Metadata) ToInternal() (sops.Metadata, error) {
 	}, nil
 }
 
-func internalGroupFrom(kmsKeys []kmskey, pgpKeys []pgpkey, gcpKmsKeys []gcpkmskey, azkvKeys []azkvkey, vaultKeys []vaultkey) (sops.KeyGroup, error) {
+func internalGroupFrom(kmsKeys []kmskey, pgpKeys []pgpkey, gcpKmsKeys []gcpkmskey, azkvKeys []azkvkey, vaultKeys []vaultkey, ageKeys []agekey) (sops.KeyGroup, error) {
 	var internalGroup sops.KeyGroup
 	for _, kmsKey := range kmsKeys {
 		k, err := kmsKey.toInternal()
@@ -288,13 +311,20 @@ func internalGroupFrom(kmsKeys []kmskey, pgpKeys []pgpkey, gcpKmsKeys []gcpkmske
 		}
 		internalGroup = append(internalGroup, k)
 	}
+	for _, ageKey := range ageKeys {
+		k, err := ageKey.toInternal()
+		if err != nil {
+			return nil, err
+		}
+		internalGroup = append(internalGroup, k)
+	}
 	return internalGroup, nil
 }
 
 func (m *Metadata) internalKeygroups() ([]sops.KeyGroup, error) {
 	var internalGroups []sops.KeyGroup
-	if len(m.PGPKeys) > 0 || len(m.KMSKeys) > 0 || len(m.GCPKMSKeys) > 0 || len(m.AzureKeyVaultKeys) > 0 || len(m.VaultKeys) > 0 {
-		internalGroup, err := internalGroupFrom(m.KMSKeys, m.PGPKeys, m.GCPKMSKeys, m.AzureKeyVaultKeys, m.VaultKeys)
+	if len(m.PGPKeys) > 0 || len(m.KMSKeys) > 0 || len(m.GCPKMSKeys) > 0 || len(m.AzureKeyVaultKeys) > 0 || len(m.VaultKeys) > 0 || len(m.AgeKeys) > 0 {
+		internalGroup, err := internalGroupFrom(m.KMSKeys, m.PGPKeys, m.GCPKMSKeys, m.AzureKeyVaultKeys, m.VaultKeys, m.AgeKeys)
 		if err != nil {
 			return nil, err
 		}
@@ -302,7 +332,7 @@ func (m *Metadata) internalKeygroups() ([]sops.KeyGroup, error) {
 		return internalGroups, nil
 	} else if len(m.KeyGroups) > 0 {
 		for _, group := range m.KeyGroups {
-			internalGroup, err := internalGroupFrom(group.KMSKeys, group.PGPKeys, group.GCPKMSKeys, group.AzureKeyVaultKeys, group.VaultKeys)
+			internalGroup, err := internalGroupFrom(group.KMSKeys, group.PGPKeys, group.GCPKMSKeys, group.AzureKeyVaultKeys, group.VaultKeys, group.AgeKeys)
 			if err != nil {
 				return nil, err
 			}
@@ -381,6 +411,13 @@ func (pgpKey *pgpkey) toInternal() (*pgp.MasterKey, error) {
 	}, nil
 }
 
+func (ageKey *agekey) toInternal() (*age.MasterKey, error) {
+	return &age.MasterKey{
+		EncryptedKey: ageKey.EncryptedDataKey,
+		Recipient:    ageKey.Recipient,
+	}, nil
+}
+
 // ExampleComplexTree is an example sops.Tree object exhibiting complex relationships
 var ExampleComplexTree = sops.Tree{
 	Branches: sops.TreeBranches{
diff --git a/stores/yaml/store.go b/stores/yaml/store.go
index 989a4f056..a3ae2fb46 100644
--- a/stores/yaml/store.go
+++ b/stores/yaml/store.go
@@ -1,9 +1,12 @@
 package yaml //import "go.mozilla.org/sops/v3/stores/yaml"
 
 import (
+	"bytes"
 	"fmt"
+	"io"
+	"strings"
 
-	"github.com/mozilla-services/yaml"
+	"gopkg.in/yaml.v3"
 	"go.mozilla.org/sops/v3"
 	"go.mozilla.org/sops/v3/stores"
 )
@@ -12,102 +15,232 @@ import (
 type Store struct {
 }
 
-func (store Store) mapSliceToTreeBranch(in yaml.MapSlice) sops.TreeBranch {
-	branch := make(sops.TreeBranch, 0)
-	for _, item := range in {
-		if comment, ok := item.Key.(yaml.Comment); ok {
-			// Convert the yaml comment to a generic sops comment
-			branch = append(branch, sops.TreeItem{
-				Key: sops.Comment{
-					Value: comment.Value,
-				},
-				Value: nil,
-			})
-		} else {
-			branch = append(branch, sops.TreeItem{
-				Key:   item.Key,
-				Value: store.yamlValueToTreeValue(item.Value),
-			})
+func (store Store) appendCommentToList(comment string, list []interface{}) []interface{} {
+	if comment != "" {
+		for _, commentLine := range strings.Split(comment, "\n") {
+			if commentLine != "" {
+				list = append(list, sops.Comment{
+					Value: commentLine[1:],
+				})
+			}
+		}
+	}
+	return list
+}
+
+func (store Store) appendCommentToMap(comment string, branch sops.TreeBranch) sops.TreeBranch {
+	if comment != "" {
+		for _, commentLine := range strings.Split(comment, "\n") {
+			if commentLine != "" {
+				branch = append(branch, sops.TreeItem{
+					Key: sops.Comment{
+						Value: commentLine[1:],
+					},
+					Value: nil,
+				})
+			}
 		}
 	}
 	return branch
 }
 
-func (store Store) yamlValueToTreeValue(in interface{}) interface{} {
-	switch in := in.(type) {
-	case map[interface{}]interface{}:
-		return store.yamlMapToTreeBranch(in)
-	case yaml.MapSlice:
-		return store.mapSliceToTreeBranch(in)
-	case []interface{}:
-		return store.yamlSliceToTreeValue(in)
-	case yaml.Comment:
-		return sops.Comment{Value: in.Value}
-	default:
-		return in
+func (store Store) nodeToTreeValue(node *yaml.Node, commentsWereHandled bool) (interface{}, error) {
+	switch node.Kind {
+	case yaml.DocumentNode:
+		panic("documents should never be passed here")
+	case yaml.SequenceNode:
+		var result []interface{}
+		if !commentsWereHandled {
+			result = store.appendCommentToList(node.HeadComment, result)
+			result = store.appendCommentToList(node.LineComment, result)
+		}
+		for _, item := range node.Content {
+			result = store.appendCommentToList(item.HeadComment, result)
+			result = store.appendCommentToList(item.LineComment, result)
+			val, err := store.nodeToTreeValue(item, true)
+			if err != nil {
+				return nil, err
+			}
+			result = append(result, val)
+			result = store.appendCommentToList(item.FootComment, result)
+		}
+		if !commentsWereHandled {
+			result = store.appendCommentToList(node.FootComment, result)
+		}
+		return result, nil
+	case yaml.MappingNode:
+		branch := make(sops.TreeBranch, 0)
+		return store.appendYamlNodeToTreeBranch(node, branch, false)
+	case yaml.ScalarNode:
+		var result interface{}
+		node.Decode(&result)
+		return result, nil
+	case yaml.AliasNode:
+		return store.nodeToTreeValue(node.Alias, false);
 	}
+	return nil, nil
 }
 
-func (store *Store) yamlSliceToTreeValue(in []interface{}) []interface{} {
-	for i, v := range in {
-		in[i] = store.yamlValueToTreeValue(v)
+func (store Store) appendYamlNodeToTreeBranch(node *yaml.Node, branch sops.TreeBranch, commentsWereHandled bool) (sops.TreeBranch, error) {
+	var err error
+	if !commentsWereHandled {
+		branch = store.appendCommentToMap(node.HeadComment, branch)
+		branch = store.appendCommentToMap(node.LineComment, branch)
+	}
+	switch node.Kind {
+	case yaml.DocumentNode:
+		for _, item := range node.Content {
+			branch, err = store.appendYamlNodeToTreeBranch(item, branch, false)
+			if err != nil {
+				return nil, err
+			}
+		}
+	case yaml.SequenceNode:
+		return nil, fmt.Errorf("YAML documents that are sequences are not supported")
+	case yaml.MappingNode:
+		for i := 0; i < len(node.Content); i += 2 {
+			key := node.Content[i]
+			value := node.Content[i + 1]
+			branch = store.appendCommentToMap(key.HeadComment, branch)
+			branch = store.appendCommentToMap(key.LineComment, branch)
+			handleValueComments := value.Kind == yaml.ScalarNode || value.Kind == yaml.AliasNode
+			if handleValueComments {
+				branch = store.appendCommentToMap(value.HeadComment, branch)
+				branch = store.appendCommentToMap(value.LineComment, branch)
+			}
+			var keyValue interface{}
+			key.Decode(&keyValue)
+			valueTV, err := store.nodeToTreeValue(value, handleValueComments)
+			if err != nil {
+				return nil, err
+			}
+			branch = append(branch, sops.TreeItem{
+				Key:   keyValue,
+				Value: valueTV,
+			})
+			if handleValueComments {
+				branch = store.appendCommentToMap(value.FootComment, branch)
+			}
+			branch = store.appendCommentToMap(key.FootComment, branch)
+		}
+	case yaml.ScalarNode:
+		// A empty document with a document start marker without comments results in null
+		if node.ShortTag() == "!!null" {
+			return branch, nil
+		}
+		return nil, fmt.Errorf("YAML documents that are values are not supported")
+	case yaml.AliasNode:
+		branch, err = store.appendYamlNodeToTreeBranch(node.Alias, branch, false)
 	}
-	return in
+	if !commentsWereHandled {
+		branch = store.appendCommentToMap(node.FootComment, branch)
+	}
+	return branch, nil
 }
 
-func (store *Store) yamlMapToTreeBranch(in map[interface{}]interface{}) sops.TreeBranch {
+func (store Store) yamlDocumentNodeToTreeBranch(in yaml.Node) (sops.TreeBranch, error) {
 	branch := make(sops.TreeBranch, 0)
-	for k, v := range in {
-		branch = append(branch, sops.TreeItem{
-			Key:   k.(string),
-			Value: store.yamlValueToTreeValue(v),
-		})
+	return store.appendYamlNodeToTreeBranch(&in, branch, false)
+}
+
+func (store *Store) addCommentsHead(node *yaml.Node, comments []string) []string {
+	if len(comments) > 0 {
+		comment := "#" + strings.Join(comments, "\n#")
+		if len(node.HeadComment) > 0 {
+			node.HeadComment = comment + "\n" + node.HeadComment
+		} else {
+			node.HeadComment = comment
+		}
 	}
-	return branch
+	return nil
 }
 
-func (store Store) treeValueToYamlValue(in interface{}) interface{} {
+func (store *Store) addCommentsFoot(node *yaml.Node, comments []string) []string {
+	if len(comments) > 0 {
+		comment := "#" + strings.Join(comments, "\n#")
+		if len(node.FootComment) > 0 {
+			node.FootComment += "\n" + comment
+		} else {
+			node.FootComment = comment
+		}
+	}
+	return nil
+}
+
+func (store *Store) treeValueToNode(in interface{}) *yaml.Node {
 	switch in := in.(type) {
 	case sops.TreeBranch:
-		return store.treeBranchToYamlMap(in)
-	case sops.Comment:
-		return yaml.Comment{in.Value}
+		var mapping = &yaml.Node{}
+		mapping.Kind = yaml.MappingNode
+		store.appendTreeBranch(in, mapping)
+		return mapping
 	case []interface{}:
-		var out []interface{}
-		for _, v := range in {
-			out = append(out, store.treeValueToYamlValue(v))
-		}
-		return out
+		var sequence = &yaml.Node{}
+		sequence.Kind = yaml.SequenceNode
+		store.appendSequence(in, sequence)
+		return sequence
 	default:
-		return in
+		var valueNode = &yaml.Node{}
+		valueNode.Encode(in)
+		return valueNode
 	}
 }
 
-func (store Store) treeBranchToYamlMap(in sops.TreeBranch) yaml.MapSlice {
-	branch := make(yaml.MapSlice, 0)
+func (store *Store) appendSequence(in []interface{}, sequence *yaml.Node) {
+	var comments []string
+	var beginning bool = true
 	for _, item := range in {
+		if comment, ok := item.(sops.Comment); ok {
+			comments = append(comments, comment.Value)
+		} else {
+			if beginning {
+				comments = store.addCommentsHead(sequence, comments)
+				beginning = false
+			}
+			itemNode := store.treeValueToNode(item)
+			comments = store.addCommentsHead(itemNode, comments)
+			sequence.Content = append(sequence.Content, itemNode)
+		}
+	}
+	if len(comments) > 0 {
+		if beginning {
+			comments = store.addCommentsHead(sequence, comments)
+		} else {
+			comments = store.addCommentsFoot(sequence.Content[len(sequence.Content) - 1], comments)
+		}
+	}
+}
+
+func (store *Store) appendTreeBranch(branch sops.TreeBranch, mapping *yaml.Node) {
+	var comments []string
+	var beginning bool = true
+	for _, item := range branch {
 		if comment, ok := item.Key.(sops.Comment); ok {
-			branch = append(branch, yaml.MapItem{
-				Key:   store.treeValueToYamlValue(comment),
-				Value: nil,
-			})
+			comments = append(comments, comment.Value)
 		} else {
-			branch = append(branch, yaml.MapItem{
-				Key:   item.Key,
-				Value: store.treeValueToYamlValue(item.Value),
-			})
+			if beginning {
+				comments = store.addCommentsHead(mapping, comments)
+				beginning = false
+			}
+			var keyNode = &yaml.Node{}
+			keyNode.Encode(item.Key)
+			comments = store.addCommentsHead(keyNode, comments)
+			valueNode := store.treeValueToNode(item.Value)
+			mapping.Content = append(mapping.Content, keyNode, valueNode)
+		}
+	}
+	if len(comments) > 0 {
+		if beginning {
+			comments = store.addCommentsHead(mapping, comments)
+		} else {
+			comments = store.addCommentsFoot(mapping.Content[len(mapping.Content) - 1], comments)
 		}
 	}
-	return branch
 }
 
 // LoadEncryptedFile loads the contents of an encrypted yaml file onto a
 // sops.Tree runtime object
 func (store *Store) LoadEncryptedFile(in []byte) (sops.Tree, error) {
-	var data []yaml.MapSlice
-	if err := (yaml.CommentUnmarshaler{}).UnmarshalDocuments(in, &data); err != nil {
-		return sops.Tree{}, fmt.Errorf("Error unmarshaling input YAML: %s", err)
-	}
 	// Because we don't know what fields the input file will have, we have to
 	// load the file in two steps.
 	// First, we load the file's metadata, the structure of which is known.
@@ -123,14 +256,33 @@ func (store *Store) LoadEncryptedFile(in []byte) (sops.Tree, error) {
 	if err != nil {
 		return sops.Tree{}, err
 	}
+	var data yaml.Node
+	if err := yaml.Unmarshal(in, &data); err != nil {
+		return sops.Tree{}, fmt.Errorf("Error unmarshaling input YAML: %s", err)
+	}
 	var branches sops.TreeBranches
-	for _, doc := range data {
-		for i, item := range doc {
-			if item.Key == "sops" { // Erase
-				doc = append(doc[:i], doc[i+1:]...)
+	d := yaml.NewDecoder(bytes.NewReader(in))
+	for true {
+		var data yaml.Node
+		err := d.Decode(&data)
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return sops.Tree{}, fmt.Errorf("Error unmarshaling input YAML: %s", err)
+		}
+
+		branch, err := store.yamlDocumentNodeToTreeBranch(data)
+		if err != nil {
+			return sops.Tree{}, fmt.Errorf("Error unmarshaling input YAML: %s", err)
+		}
+
+		for i, elt := range branch {
+			if elt.Key == "sops" { // Erase
+				branch = append(branch[:i], branch[i+1:]...)
 			}
 		}
-		branches = append(branches, store.mapSliceToTreeBranch(doc))
+		branches = append(branches, branch)
 	}
 	return sops.Tree{
 		Branches: branches,
@@ -139,16 +291,25 @@ func (store *Store) LoadEncryptedFile(in []byte) (sops.Tree, error) {
 }
 
 // LoadPlainFile loads the contents of a plaintext yaml file onto a
-// sops.Tree runtime obejct
+// sops.Tree runtime object
 func (store *Store) LoadPlainFile(in []byte) (sops.TreeBranches, error) {
-	var data []yaml.MapSlice
-	if err := (yaml.CommentUnmarshaler{}).UnmarshalDocuments(in, &data); err != nil {
-		return nil, fmt.Errorf("Error unmarshaling input YAML: %s", err)
-	}
-
 	var branches sops.TreeBranches
-	for _, doc := range data {
-		branches = append(branches, store.mapSliceToTreeBranch(doc))
+	d := yaml.NewDecoder(bytes.NewReader(in))
+	for true {
+		var data yaml.Node
+		err := d.Decode(&data)
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return nil, fmt.Errorf("Error unmarshaling input YAML: %s", err)
+		}
+
+		branch, err := store.yamlDocumentNodeToTreeBranch(data)
+		if err != nil {
+			return nil, fmt.Errorf("Error unmarshaling input YAML: %s", err)
+		}
+		branches = append(branches, branch)
 	}
 	return branches, nil
 }
@@ -156,45 +317,70 @@ func (store *Store) LoadPlainFile(in []byte) (sops.TreeBranches, error) {
 // EmitEncryptedFile returns the encrypted bytes of the yaml file corresponding to a
 // sops.Tree runtime object
 func (store *Store) EmitEncryptedFile(in sops.Tree) ([]byte, error) {
-	out := []byte{}
-	for i, branch := range in.Branches {
-		if i > 0 {
-			out = append(out, "---\n"...)
-		}
-		yamlMap := store.treeBranchToYamlMap(branch)
-		yamlMap = append(yamlMap, yaml.MapItem{Key: "sops", Value: stores.MetadataFromInternal(in.Metadata)})
-		tout, err := (&yaml.YAMLMarshaler{Indent: 4}).Marshal(yamlMap)
+    var b bytes.Buffer
+	e := yaml.NewEncoder(io.Writer(&b))
+	e.SetIndent(4)
+	for _, branch := range in.Branches {
+		// Document root
+		var doc = yaml.Node{}
+		doc.Kind = yaml.DocumentNode
+		// Add global mapping
+		var mapping = yaml.Node{}
+		mapping.Kind = yaml.MappingNode
+		doc.Content = append(doc.Content, &mapping)
+		// Create copy of branch with metadata appended
+		branch = append(sops.TreeBranch(nil), branch...)
+		branch = append(branch, sops.TreeItem{
+			Key: "sops",
+			Value: stores.MetadataFromInternal(in.Metadata),
+		})
+		// Marshal branch to global mapping node
+		store.appendTreeBranch(branch, &mapping)
+		// Encode YAML
+		err := e.Encode(&doc)
 		if err != nil {
 			return nil, fmt.Errorf("Error marshaling to yaml: %s", err)
 		}
-		out = append(out, tout...)
 	}
-	return out, nil
+	e.Close()
+	return b.Bytes(), nil
 }
 
 // EmitPlainFile returns the plaintext bytes of the yaml file corresponding to a
 // sops.TreeBranches runtime object
 func (store *Store) EmitPlainFile(branches sops.TreeBranches) ([]byte, error) {
-	var out []byte
-	for i, branch := range branches {
-		if i > 0 {
-			out = append(out, "---\n"...)
+    var b bytes.Buffer
+	e := yaml.NewEncoder(io.Writer(&b))
+	e.SetIndent(4)
+	for _, branch := range branches {
+		// Document root
+		var doc = yaml.Node{}
+		doc.Kind = yaml.DocumentNode
+		// Add global mapping
+		var mapping = yaml.Node{}
+		mapping.Kind = yaml.MappingNode
+		// Marshal branch to global mapping node
+		store.appendTreeBranch(branch, &mapping)
+		if len(mapping.Content) == 0 {
+			doc.HeadComment = mapping.HeadComment
+		} else {
+			doc.Content = append(doc.Content, &mapping)
 		}
-		yamlMap := store.treeBranchToYamlMap(branch)
-		tmpout, err := (&yaml.YAMLMarshaler{Indent: 4}).Marshal(yamlMap)
+		// Encode YAML
+		err := e.Encode(&doc)
 		if err != nil {
 			return nil, fmt.Errorf("Error marshaling to yaml: %s", err)
 		}
-		out = append(out[:], tmpout[:]...)
 	}
-	return out, nil
+	e.Close()
+	return b.Bytes(), nil
 }
 
 // EmitValue returns bytes corresponding to a single encoded value
 // in a generic interface{} object
 func (store *Store) EmitValue(v interface{}) ([]byte, error) {
-	v = store.treeValueToYamlValue(v)
-	return (&yaml.YAMLMarshaler{Indent: 4}).Marshal(v)
+	n := store.treeValueToNode(v)
+	return yaml.Marshal(n)
 }
 
 // EmitExample returns the bytes corresponding to an example complex tree
diff --git a/stores/yaml/store_test.go b/stores/yaml/store_test.go
index bed993507..be6b90eb2 100644
--- a/stores/yaml/store_test.go
+++ b/stores/yaml/store_test.go
@@ -15,8 +15,18 @@ key1_a: value
 ---
 key2: value2`)
 
+var PLAIN_0 = []byte(`# comment 0
+key1: value
+key1_a: value
+# ^ comment 1
+`)
+
 var BRANCHES = sops.TreeBranches{
 	sops.TreeBranch{
+		sops.TreeItem{
+			Key:   sops.Comment{" comment 0"},
+			Value: nil,
+		},
 		sops.TreeItem{
 			Key:   "key1",
 			Value: "value",
@@ -38,6 +48,49 @@ var BRANCHES = sops.TreeBranches{
 	},
 }
 
+var COMMENT_1 = []byte(`# test
+a:
+    b: null
+    # foo
+`)
+
+var COMMENT_2 = []byte(`a:
+    # foo
+    b: null
+`)
+
+var COMMENT_3_IN = []byte(`## Configuration for prometheus-node-exporter subchart
+##
+prometheus-node-exporter:
+  podLabels:
+    ## Add the 'node-exporter' label to be used by serviceMonitor to match standard common usage in rules and grafana dashboards
+    ##
+
+    jobLabel: node-exporter
+  extraArgs:
+    - --collector.filesystem.ignored-mount-points=^/(dev|proc|sys|var/lib/docker/.+)($|/)
+    - --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|mqueue|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs)$
+`)
+var COMMENT_3_OUT = []byte(`## Configuration for prometheus-node-exporter subchart
+##
+prometheus-node-exporter:
+    podLabels:
+        ## Add the 'node-exporter' label to be used by serviceMonitor to match standard common usage in rules and grafana dashboards
+        ##
+        jobLabel: node-exporter
+    extraArgs:
+        - --collector.filesystem.ignored-mount-points=^/(dev|proc|sys|var/lib/docker/.+)($|/)
+        - --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|mqueue|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs)$
+`)
+
+var COMMENT_4 = []byte(`# foo
+`)
+
+var COMMENT_5 = []byte(`# foo
+---
+key: value
+`)
+
 func TestUnmarshalMetadataFromNonSOPSFile(t *testing.T) {
 	data := []byte(`hello: 2`)
 	_, err := (&Store{}).LoadEncryptedFile(data)
@@ -49,3 +102,86 @@ func TestLoadPlainFile(t *testing.T) {
 	assert.Nil(t, err)
 	assert.Equal(t, BRANCHES, branches)
 }
+
+func TestComment1(t *testing.T) {
+	// First iteration: load and store
+	branches, err := (&Store{}).LoadPlainFile(COMMENT_1)
+	assert.Nil(t, err)
+	bytes, err := (&Store{}).EmitPlainFile(branches)
+	assert.Nil(t, err)
+	assert.Equal(t, string(COMMENT_1), string(bytes))
+	assert.Equal(t, COMMENT_1, bytes)
+}
+
+func TestComment2(t *testing.T) {
+	// First iteration: load and store
+	branches, err := (&Store{}).LoadPlainFile(COMMENT_2)
+	assert.Nil(t, err)
+	bytes, err := (&Store{}).EmitPlainFile(branches)
+	assert.Nil(t, err)
+	assert.Equal(t, string(COMMENT_2), string(bytes))
+	assert.Equal(t, COMMENT_2, bytes)
+}
+
+func TestComment3(t *testing.T) {
+	// First iteration: load and store
+	branches, err := (&Store{}).LoadPlainFile(COMMENT_3_IN)
+	assert.Nil(t, err)
+	bytes, err := (&Store{}).EmitPlainFile(branches)
+	assert.Nil(t, err)
+	assert.Equal(t, string(COMMENT_3_OUT), string(bytes))
+	assert.Equal(t, COMMENT_3_OUT, bytes)
+}
+
+/* TODO: re-enable once https://github.com/go-yaml/yaml/pull/690 is merged
+func TestComment4(t *testing.T) {
+	// First iteration: load and store
+	branches, err := (&Store{}).LoadPlainFile(COMMENT_4)
+	assert.Nil(t, err)
+	bytes, err := (&Store{}).EmitPlainFile(branches)
+	assert.Nil(t, err)
+	assert.Equal(t, string(COMMENT_4), string(bytes))
+	assert.Equal(t, COMMENT_4, bytes)
+}
+
+func TestComment5(t *testing.T) {
+	// First iteration: load and store
+	branches, err := (&Store{}).LoadPlainFile(COMMENT_5)
+	assert.Nil(t, err)
+	bytes, err := (&Store{}).EmitPlainFile(branches)
+	assert.Nil(t, err)
+	assert.Equal(t, string(COMMENT_5), string(bytes))
+	assert.Equal(t, COMMENT_5, bytes)
+}
+*/
+
+func TestEmpty(t *testing.T) {
+	// First iteration: load and store
+	branches, err := (&Store{}).LoadPlainFile([]byte(``))
+	assert.Nil(t, err)
+	assert.Equal(t, len(branches), 0)
+	bytes, err := (&Store{}).EmitPlainFile(branches)
+	assert.Nil(t, err)
+	assert.Equal(t, ``, string(bytes))
+}
+
+/* TODO: re-enable once https://github.com/go-yaml/yaml/pull/690 is merged
+func TestEmpty2(t *testing.T) {
+	// First iteration: load and store
+	branches, err := (&Store{}).LoadPlainFile([]byte(`---`))
+	assert.Nil(t, err)
+	assert.Equal(t, len(branches), 1)
+	assert.Equal(t, len(branches[0]), 0)
+	bytes, err := (&Store{}).EmitPlainFile(branches)
+	assert.Nil(t, err)
+	assert.Equal(t, ``, string(bytes))
+}
+*/
+
+func TestEmitValue(t *testing.T) {
+	// First iteration: load and store
+	bytes, err := (&Store{}).EmitValue(BRANCHES[0])
+	assert.Nil(t, err)
+	assert.Equal(t, string(PLAIN_0), string(bytes))
+	assert.Equal(t, PLAIN_0, bytes)
+}
diff --git a/version/version.go b/version/version.go
index 892ff6f59..cbcff60f0 100644
--- a/version/version.go
+++ b/version/version.go
@@ -11,7 +11,7 @@ import (
 )
 
 // Version represents the value of the current semantic version
-const Version = "3.6.1"
+const Version = "3.7.0"
 
 // PrintVersion handles the version command for sops
 func PrintVersion(c *cli.Context) {
@@ -74,7 +74,7 @@ func RetrieveLatestVersionFromUpstream() (string, error) {
 			// try to parse the version as semver
 			_, err := semver.Make(comps[1])
 			if err != nil {
-				return "", fmt.Errorf("Retrieved version %q does not match semver format: %v", comps[1], err)
+				return "", fmt.Errorf("Retrieved version %q does not match semver format: %w", comps[1], err)
 			}
 			return comps[1], nil
 		}